10/09/2020 08:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223463 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223462 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223461 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:38:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223464 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f0 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223474 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223473 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223472 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e8 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223471 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223470 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223469 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x260 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223468 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x20c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223467 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223466 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x20c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223465 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223486 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223485 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223484 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B28 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223483 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B16 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223482 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B28 Linked Logon ID: 0x58B16 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223481 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B16 Linked Logon ID: 0x58B28 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223480 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223479 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223477 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223476 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223475 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51D7A 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223492 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223491 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223487 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223494 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223493 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x613FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223501 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223500 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other System Events OpCode=Info RecordNumber=223495 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:39:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other System Events OpCode=Info RecordNumber=223503 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223507 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa68 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎10‎-‎09T08:39:38.700704000Z New Time: ‎2020‎-‎10‎-‎09T08:39:38.689000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223506 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223505 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:39:38 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223504 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V Process Information: Process ID: 0xa0c Process Name: C:\Windows\System32\net1.exe 10/09/2020 08:39:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223509 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4e8 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎10‎-‎09T08:39:44.130546000Z New Time: ‎2020‎-‎10‎-‎09T08:39:44.117000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:39:44 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Service shutdown OpCode=Info RecordNumber=223508 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 08:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223512 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b8 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223511 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223510 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223522 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223521 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223520 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223519 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223518 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x230 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223517 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x230 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223516 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223515 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x230 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223514 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223513 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223540 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223539 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223538 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223537 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA094 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223531 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA07F Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223530 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA094 Linked Logon ID: 0xA07F Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA07F Linked Logon ID: 0xA094 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223528 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223527 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223526 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223525 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223524 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223523 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5542 10/09/2020 08:40:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223541 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x448 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎10‎-‎09T08:40:30.046116000Z New Time: ‎2020‎-‎10‎-‎09T08:40:30.031000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223624 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223623 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223622 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223621 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Domain Users Account Domain: EC2AMAZ-I44GJRK Old Account Name: None New Account Name: None Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223620 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223619 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223618 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223617 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223616 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223615 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:39:38 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223614 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:39:38 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223613 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223612 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223611 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223610 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223609 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223608 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223607 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223606 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223605 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223604 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223603 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223602 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223601 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223600 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223599 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223598 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223597 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223596 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223595 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223594 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223593 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223592 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223591 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223590 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223589 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223588 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223587 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223586 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223585 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223584 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223583 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223582 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223581 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223580 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223579 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223578 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223577 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223576 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223575 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223574 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223573 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223572 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223571 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223570 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223569 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223568 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223567 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: NONE_MAPPED Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223566 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223565 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223564 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223563 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223562 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223561 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223560 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223559 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223558 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223557 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223556 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223555 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223554 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223553 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223552 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223551 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223550 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223549 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223548 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223547 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223546 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223545 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223544 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223543 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223542 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223633 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223632 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223631 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223630 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223629 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223628 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223627 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223626 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223625 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223642 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223641 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223640 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223639 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223638 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223637 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223636 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223634 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1B605 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223646 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223645 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223644 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223643 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:40:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223650 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223649 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223653 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:40:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223652 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:40:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223651 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223656 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK 10/09/2020 08:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223655 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:40:58 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223654 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xca8 Process Name: C:\Windows\System32\net1.exe 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223663 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x77FF1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223662 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x77FF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa80 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223661 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa80 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223660 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223659 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223658 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223657 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:41:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223664 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:41:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223666 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4b4 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎10‎-‎09T08:41:12.640362600Z New Time: ‎2020‎-‎10‎-‎09T08:41:12.631000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:41:12 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Service shutdown OpCode=Info RecordNumber=223665 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 08:57:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223669 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223668 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223667 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:57:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223670 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223675 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2fc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223674 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223673 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x304 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2fc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223672 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2fc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223671 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223680 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x710E 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223679 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223678 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223677 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x31c Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223676 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x38c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x31c Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223695 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B8E Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223694 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B79 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223693 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B8E Linked Logon ID: 0x10B79 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223692 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B79 Linked Logon ID: 0x10B8E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223691 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223690 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223688 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223687 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223686 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223685 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223684 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223683 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223710 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223709 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223708 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223707 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x16972 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223706 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223705 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223704 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223703 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223702 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223701 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223700 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223699 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223698 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223697 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223696 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:57:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223712 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223711 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223714 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223713 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223718 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xff4 Process Name: C:\Windows\System32\net1.exe 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223717 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223716 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223715 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223720 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK 10/09/2020 08:58:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223719 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:58:14 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223727 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223726 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb50 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223725 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb50 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223724 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223723 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223722 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223721 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223732 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223731 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:58:19 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223730 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x0 Process Name: - 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223729 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x0 Process Name: - 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223728 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223742 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223741 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223740 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223739 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223738 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223737 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223736 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223735 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223734 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223733 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223744 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223743 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223758 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223757 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8449B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223756 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8449B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223755 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223754 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84365 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84365 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223751 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223750 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223749 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223748 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x83B6F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223747 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x83B6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223746 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223745 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223870 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223869 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88630 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223868 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88CA1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223867 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88CA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223866 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223865 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223864 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88C67 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223863 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88C67 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223862 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88C67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223861 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223860 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223859 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223858 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88630 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223857 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88630 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223856 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223855 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223854 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x882AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88556 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88556 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223850 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223849 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88525 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88525 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88525 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223845 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x883EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223843 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x883EA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223842 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x883EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223841 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223840 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223839 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x882AF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223838 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x882AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223837 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223836 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223835 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223834 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223833 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223832 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223831 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84365 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223829 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86A6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D07 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223827 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223826 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223825 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223824 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87CD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87CD6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87CD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223821 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223820 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223819 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86B8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223818 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86B8A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223817 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86B8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223816 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223815 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86A6C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86A6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223811 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223810 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223809 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84C22 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223808 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864F8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223807 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223806 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223805 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223804 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223803 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x851A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223802 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864C0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223801 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223800 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223799 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223798 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8648F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223797 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8648F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223796 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8648F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223795 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223794 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223793 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x852AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223792 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x852AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223791 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x852AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223790 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223789 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x851A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223787 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x851A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223786 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223785 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223784 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223783 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8449B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223782 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84C22 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223781 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84C22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223780 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223779 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223778 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8497C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BE5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223773 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223772 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223771 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BAB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223770 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223769 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223768 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223767 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84A9E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223766 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84A9E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223765 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84A9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223764 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223763 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223762 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8497C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223761 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8497C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223760 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223759 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B24D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223914 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C49C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223913 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C49C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223912 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223911 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223910 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C46B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223909 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C46B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223908 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C46B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223907 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223906 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223905 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B367 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223904 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B367 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223903 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B367 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223902 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223901 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223900 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B24D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B24D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223898 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223897 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223896 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223895 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88CA1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223894 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABFF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223893 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223892 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223891 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223890 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223889 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8921A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223888 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABC7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223887 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223886 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223885 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223884 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8AB96 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223883 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8AB96 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223882 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8AB96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223881 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223880 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223879 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x892EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223878 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x892EF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223877 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x892EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223876 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223875 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223874 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8921A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223873 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8921A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223872 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223871 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223928 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CC5F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223927 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CC5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223926 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223925 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223924 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CB4E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223923 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CB4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223922 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223921 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223920 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223919 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C631 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223918 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C631 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223917 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223916 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223936 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8F358 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223935 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8F358 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223934 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223933 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223932 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8E89E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223931 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8E89E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223930 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223929 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223937 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C631 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xddc Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223951 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2304 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223950 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CB4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223949 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2304 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223948 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2304 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223947 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223946 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223945 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA22D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223944 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA22D3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223943 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA22D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223942 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223941 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223940 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8F358 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223939 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8E89E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223938 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CC5F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223968 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA48F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223967 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA48F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223966 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223965 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223964 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2BC2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223963 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2BC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223962 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223961 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223960 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2AC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223959 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2AC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223958 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223957 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223956 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223955 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA23FD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223954 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA23FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223953 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223952 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224004 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA7F10 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224003 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA7F10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224002 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224001 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224000 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA632A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223999 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA632A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223998 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223997 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223996 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA622A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223995 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA622A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223994 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223993 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223992 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223991 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5D57 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223990 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5D57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223989 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223988 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223987 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA23FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223986 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223985 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2AC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223984 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223983 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223982 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223981 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223980 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223979 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C2B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223978 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223977 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223976 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223975 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA59B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223974 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA48F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223973 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2BC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223972 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA59B9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223971 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA59B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223970 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223969 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224008 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA8B7F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224007 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA8B7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224006 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224005 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224013 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xC2CD0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224012 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xC2CD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224011 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224010 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224009 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA8B7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224025 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224024 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224023 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224022 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224021 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224020 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224019 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224018 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224017 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224016 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224015 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224014 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224040 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5D57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE551 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224038 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA622A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224037 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE551 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224036 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE551 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224035 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224034 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224033 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE520 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224032 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE520 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224031 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE520 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224030 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224029 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224028 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xC2CD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224027 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA7F10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224026 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA632A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224057 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD0A85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224056 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD0A85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224055 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224054 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224053 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCED9F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224052 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCED9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224051 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224050 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224049 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCECA2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224048 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCECA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224047 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224046 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224045 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224044 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE63F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224043 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE63F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224042 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224041 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224093 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD40E6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224092 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD40E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224091 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224090 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224089 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD24C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224088 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD24C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224087 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224086 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224085 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD23C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224084 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD23C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224083 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224082 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224081 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224080 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1F11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224079 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1F11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224078 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224077 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224076 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE63F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224075 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1E31 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224074 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCECA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224073 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1E31 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224072 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1E31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224071 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224070 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224069 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1DFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224068 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1DFF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224067 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1DFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224066 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224065 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224064 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1748 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224063 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD0A85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224062 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCED9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224061 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1748 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224060 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224059 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224058 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224117 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224116 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD547D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224115 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD547D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224114 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224113 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224112 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1F11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224111 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD539E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224110 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD23C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224109 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD539E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224108 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD539E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224107 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224106 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224105 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD536D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224104 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD536D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224103 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD536D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224102 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224101 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224100 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD4DBA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224099 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD40E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224098 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD24C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224097 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD4DBA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224096 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD4DBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224095 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224094 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224157 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD93F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224156 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD93F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224155 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224154 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224153 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD931D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224152 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD931D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224151 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224150 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224149 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8FBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224148 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8FBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224147 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224146 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224145 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8F62 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224144 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8F62 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224143 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8F62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224142 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224141 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224140 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6EE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224139 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6EE4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224138 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6EE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224137 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224136 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224135 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6E21 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224134 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6E21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224133 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224132 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224131 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6DF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224130 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6DF0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224129 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6DF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224128 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224127 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224126 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5A27 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224125 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5A27 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224124 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5A27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224123 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224122 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224121 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5936 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224120 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5936 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224119 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224118 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224162 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA78D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224161 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA78D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224160 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224159 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224158 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD93F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224186 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224185 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224184 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224183 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_elambkup_0bc02aa0c28485f3.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224182 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224181 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224180 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224179 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224178 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224177 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224176 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224175 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAE0D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224174 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAE0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224173 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224172 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224171 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAD0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224170 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAD0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224169 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224168 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224167 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA97F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224166 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA97F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224165 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224164 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224163 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA78D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224197 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDC71E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224196 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDC71E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224195 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224194 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224193 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAE0D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224192 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224191 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224190 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x88 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224189 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x88 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224188 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224187 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:18 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Service shutdown OpCode=Info RecordNumber=224198 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 08:59:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224200 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=224199 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224209 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x35c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224208 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224207 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x30c New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224206 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224205 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224204 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224203 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224202 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224201 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224239 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x140C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224238 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224237 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224236 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224235 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224234 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224233 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224232 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224231 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224230 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224229 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224228 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224227 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224226 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224225 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224224 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224223 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224222 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224221 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4ED Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224220 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4C7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224219 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4ED Linked Logon ID: 0xA4C7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224218 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4C7 Linked Logon ID: 0xA4ED Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224217 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224216 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224215 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224214 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224213 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224212 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x553B 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224211 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security State Change OpCode=Info RecordNumber=224210 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224246 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224245 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224244 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224243 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224242 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224241 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224240 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x299BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x299BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224258 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x29949 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x29949 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224255 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224254 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224253 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224252 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x292B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224251 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x292B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224250 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224249 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224248 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224247 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224292 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AC1C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224291 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAF4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224290 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AEBD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224289 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAF4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224288 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224287 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224286 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224285 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAC3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAC3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224283 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224282 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224281 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224280 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AF59 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224279 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AF59 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224278 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AF59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224277 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224276 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224275 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AEBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224274 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AEBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224273 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224272 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224271 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AC1C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224270 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AC1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224269 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224268 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224267 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2ABD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224266 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2ABD9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224265 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2ABD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224264 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224263 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x299BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224304 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x3228D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224303 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x3228D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224302 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224301 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224300 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x321E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224299 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x321E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224298 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224297 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x31A0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224295 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x31A0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224294 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224293 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x34DB4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x34DB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224310 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224309 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x345FB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x345FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224306 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224305 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224472 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224471 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x51c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224470 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224469 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224468 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224467 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224466 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224465 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224464 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224463 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224462 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224461 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224460 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224459 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224458 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224457 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224456 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224455 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224454 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224453 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224452 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224451 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224450 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224449 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224448 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224447 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224446 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224445 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224444 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224443 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224442 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224441 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224440 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224439 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224438 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224437 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224436 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224435 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224434 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224433 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224432 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224431 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224430 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224429 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224428 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224427 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224426 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224425 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224424 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224423 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServer_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224422 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Types.ps1xml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224421 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Format.ps1xml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224420 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServer.psd1 Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224419 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dnsperf.dll Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224418 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224417 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224416 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224415 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224414 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224413 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224412 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224411 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224410 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224409 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224408 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224407 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224406 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224405 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224404 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224403 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224402 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224401 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224400 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224399 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224398 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224397 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224396 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224395 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224394 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224393 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224392 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224391 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224390 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224389 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224388 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224387 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224386 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224385 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224384 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224383 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224382 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224381 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224380 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224379 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224378 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224377 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224376 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224375 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224374 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224373 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224372 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224371 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224370 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224369 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServer_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224368 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Types.ps1xml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224367 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Format.ps1xml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224366 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServer.psd1 Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224365 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsserverpsprovider_uninstall.mfl Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224364 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsserverpsprovider.mfl Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224363 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsserverpsprovider.dll.mui Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224362 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsprov.mfl Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224361 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsetw.mfl Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224360 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\DnsServerPsProvider_Uninstall.mof Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224359 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\DnsServerPsProvider.mof Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224358 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsserverpsprovider.dll Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224357 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsprov.mof Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224356 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsprov.dll Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224355 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsetw.mof Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224354 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DNSmgr.dll.mui Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224353 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dnsmgmt.msc Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224352 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dnscmd.exe.mui Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224351 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dns.exe.mui Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224350 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\PLACE.DNS Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224349 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\CACHE.DNS Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224348 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\BOOT Handle ID: 0x514 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224347 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\192.DNS Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224346 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnsperf.dll Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224345 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnsmgr.dll Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224344 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnsmgmt.msc Handle ID: 0x514 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224343 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnscmd.exe Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224342 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns.exe Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224341 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DNS\0409\dnsperf.ini Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224340 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DNS\0000\dnsperf.ini Handle ID: 0x510 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224339 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DNS\dnsperf.h Handle ID: 0x514 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224338 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\DnsServer.Events.xml Handle ID: 0x510 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224337 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_event_viewer_views_serverroles_36b1368cd034c4a0.cdf-ms Handle ID: 0x514 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224336 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0x514 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224335 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x724 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224334 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x618 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224333 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224332 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x510 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224331 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x618 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224330 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_dns_0000_a9f422c913ee6b04.cdf-ms Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224329 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_dns_0409_a9f42a7313ee5f4f.cdf-ms Handle ID: 0x510 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224328 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_dns_b45bd646559d7e38.cdf-ms Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224327 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x510 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224326 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dns_samples_12e6b2bbbaf4ad18.cdf-ms Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224325 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224324 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_en-us_4555b1beb1c13883.cdf-ms Handle ID: 0x51c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224323 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x7c0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224322 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dnsserver_b0e2c53d0808a92c.cdf-ms Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224321 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224320 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224319 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x7c0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224318 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_dnsserver_0e521656ba347d64.cdf-ms Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224317 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224316 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224315 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x7c0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224314 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224313 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224479 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x5667B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x5667B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224477 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224476 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224475 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x34DB4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224474 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224473 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224491 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224490 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224489 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224488 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224487 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224486 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224485 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224484 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224483 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224482 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd30 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224481 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224480 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224498 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224497 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224496 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224495 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224494 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224528 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x6442E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224527 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x6442E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224526 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224525 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224524 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x63030 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224523 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x63030 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224522 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224521 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224520 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62F8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224519 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62F8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224518 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224517 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224516 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224515 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224514 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224513 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224512 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62BF6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224511 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x321E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224510 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62BF6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224509 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62BF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224508 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224507 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224506 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62BC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224505 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62BC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224504 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62BC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224503 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224502 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224501 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x5667B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224500 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x345FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x3228D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224538 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224537 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224536 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224535 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x64D29 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x64D29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224532 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224531 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224530 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:00:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224529 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224580 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x67524 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224579 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x67524 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224578 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224577 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224576 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x66112 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224575 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x66112 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224574 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224573 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224572 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x6606E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224571 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x6606E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224570 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224569 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224568 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65E10 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224567 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65E10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224566 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224565 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224564 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224563 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65DBD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224562 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62F8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224561 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65DBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224560 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65DBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224559 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224558 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224557 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65D8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224556 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65D8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224555 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65D8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224554 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224553 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224552 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x64D29 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224551 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x6442E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224550 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x63030 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224549 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224548 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224547 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224546 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224545 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65C8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224544 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65C8E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224543 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65C8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224542 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224541 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224540 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=User Account Management OpCode=Info RecordNumber=224539 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x62C75 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Process Information: Process ID: 0xaf4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:00:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224584 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x681DE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224583 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x681DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224582 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224581 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224748 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Types.ps1xml Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224747 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1 Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224746 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Format.ps1xml Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224745 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\schmmgmt.dll.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224744 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\repadmin.exe.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224743 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\rendom.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224742 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\redirusr.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224741 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\redircmp.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224740 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ntfrsapi.dll.mui Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224739 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ntdsutil.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224738 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ldp.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224737 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ldifde.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224736 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpfixup.exe.mui Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224735 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsuiwiz.dll.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224734 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dssite.msc Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224733 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsrm.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224732 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsquery.exe.mui Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224731 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsmove.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224730 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsmod.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224729 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsmgmt.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224728 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsget.exe.mui Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224727 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsdbutil.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224726 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsadmin.dll.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224725 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsadd.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224724 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsacls.exe.mui Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224723 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsa.msc Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224722 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\domain.msc Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224721 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\domadmin.dll.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224720 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dcpromoui.dll.mui Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224719 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dcpromocmd.dll.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224718 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dcdiag.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224717 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\csvde.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224716 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\adsiedit.msc Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224715 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\adsiedit.dll.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224714 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\adprop.dll.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224713 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\schmmgmt.dll Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224712 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\repadmin.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224711 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rendom.exe Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224710 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\redirusr.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224709 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\redircmp.exe Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224708 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntfrsapi.dll Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224707 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntdsutil.exe Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224706 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ldp.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224705 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ldifde.exe Handle ID: 0x914 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224704 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpfixup.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224703 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsuiwiz.dll Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224702 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dssite.msc Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224701 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsrm.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224700 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsquery.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224699 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsmove.exe Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224698 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsmod.exe Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224697 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsmgmt.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224696 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsget.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224695 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsdbutil.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224694 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsadmin.dll Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224693 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsadd.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224692 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsacls.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224691 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsa.msc Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224690 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\domain.msc Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224689 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\domadmin.dll Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224688 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\delegwiz.inf Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224687 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dcpromoui.dll Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224686 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dcpromocmd.dll Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224685 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dcdiag.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224684 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\csvde.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224683 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\adsiedit.msc Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224682 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\adsiedit.dll Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224681 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\adprop.dll Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224680 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\ActiveDirectoryPowerShellResources.dll.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224679 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectoryPowerShellResources.dll Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224678 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Types.ps1xml Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224677 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1 Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224676 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Format.ps1xml Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224675 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\schmmgmt.dll.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224674 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\repadmin.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224673 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\rendom.exe.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224672 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\redirusr.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224671 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\redircmp.exe.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224670 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrsapi.dll.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224669 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsutil.exe.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224668 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ldp.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224667 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ldifde.exe.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224666 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpfixup.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224665 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsuiwiz.dll.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224664 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dssite.msc Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224663 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsrm.exe.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224662 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsquery.exe.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224661 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsmove.exe.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224660 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsmod.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224659 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsmgmt.exe.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224658 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsget.exe.mui Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224657 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsdbutil.exe.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224656 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsadmin.dll.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224655 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsadd.exe.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224654 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsacn.dll.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224653 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsacls.exe.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224652 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsa.msc Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224651 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\domain.msc Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224650 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\domadmin.dll.mui Handle ID: 0x48c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224649 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dcpromoui.dll.mui Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224648 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dcpromocmd.dll.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224647 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dcdiag.exe.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224646 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\csvde.exe.mui Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224645 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adsiedit.msc Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224644 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adsiedit.dll.mui Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224643 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adprop.dll.mui Handle ID: 0x918 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224642 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en\Microsoft.ActiveDirectory.Management.resources.dll Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224641 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en\dsac.resources.dll Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224640 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\schmmgmt.dll Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224639 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\repadmin.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224638 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rendom.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224637 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\redirusr.exe Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224636 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\redircmp.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224635 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsapi.dll Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224634 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsutil.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224633 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ldp.exe Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224632 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ldifde.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224631 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpfixup.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224630 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsuiwiz.dll Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224629 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dssite.msc Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224628 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsrm.exe Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224627 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsquery.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224626 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsmove.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224625 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsmod.exe Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224624 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsmgmt.exe Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224623 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsget.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224622 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsdbutil.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224621 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsadmin.dll Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224620 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsadd.exe Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224619 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsacn.dll Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224618 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsacls.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224617 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsac.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224616 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsa.msc Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224615 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\domain.msc Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224614 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\domadmin.dll Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224613 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\delegwiz.inf Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224612 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dcpromoui.dll Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224611 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dcpromocmd.dll Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224610 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dcdiag.exe Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224609 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\csvde.exe Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224608 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adsiedit.msc Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224607 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adsiedit.dll Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224606 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprop.dll Handle ID: 0x368 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224605 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224604 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224603 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224602 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224601 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224600 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224599 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en_9da4492827ac64e5.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224598 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224597 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_activedirectory_en-us_8c3f31d53041388d.cdf-ms Handle ID: 0x4f0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224596 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_activedirectory_bedd0f1af87a5c73.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224595 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224594 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224593 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224592 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_en-us_9e576ab077991fe8.cdf-ms Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224591 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_activedirectory_en-us_a57c0c93e0b20e55.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224590 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_activedirectory_5d166ad940a9b76d.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224589 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224588 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224587 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x474 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224586 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x360 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224585 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0xa54 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224775 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8850C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224774 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8850C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224773 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224772 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224771 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8846A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224770 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8846A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224769 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224768 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224767 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8804B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224766 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8804B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224765 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224764 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224763 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x65E10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224762 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x87DEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224761 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x6606E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224760 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x87DEE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224759 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x87DEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224758 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224757 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224756 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x87C47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224755 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x87C47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224754 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x87C47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224753 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224752 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224751 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x681DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224750 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x67524 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224749 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x66112 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224783 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8A4B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224782 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8A4B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224781 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224780 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x89997 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224778 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x89997 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224777 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:00:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224776 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225128 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.psd1 Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225127 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.format.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225126 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\propshts.dll.mui Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225125 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ntdsperf.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225124 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gptedit.msc Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225123 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPRSoP.dll.mui Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225122 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpregistrybrowser.dll.mui Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225121 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpprefcn.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225120 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpprefbr.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225119 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gppref.dll.mui Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225118 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPOAdminCustom.dll.mui Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225117 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPOAdminCommon.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225116 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPOAdmin.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225115 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpmgmt.dll.mui Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225114 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpme.msc Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225113 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpme.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225112 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpmc.msc Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225111 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dfsrPropagationStrings.xml Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225110 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\DfsrHelper.dll.mui Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225109 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dfsrHealthStrings.xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225108 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dfsrHealthMessages.xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225107 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\DfsRes.dll.mui Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225106 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\DfsfrsHost.exe.mui Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225105 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NTFRSPRF.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225104 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntdsperf.dll Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225103 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gptedit.msc Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225102 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPRSoP.dll Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225101 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPOAdminCustom.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225100 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPOAdminCommon.dll Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225099 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPOAdmin.dll Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225098 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpmgmt.dll Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225097 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpme.msc Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225096 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpme.dll Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225095 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpmc.msc Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225094 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfsrPropagationReport.xsl Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225093 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DfsrHelper.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225092 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfsrHealthReport.xsl Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225091 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DfsRes.dll Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225090 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfsfrsHost.exe Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225089 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.psd1 Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225088 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.format.ps1xml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225087 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceServerConfig\DfsNamespaceserverconfig.types.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225086 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceServerConfig\DfsNamespaceServerConfig.format.ps1xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225085 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceServerConfig\DfsNamespaceserverconfig.cdxml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225084 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceRootTarget\DfsNamespaceRootTarget.types.ps1xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225083 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceRootTarget\DfsNamespaceRootTarget.format.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225082 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceRootTarget\DfsNamespaceRootTarget.cdxml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225081 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolderTarget\DfsNamespaceFolderTarget.types.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225080 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolderTarget\DfsNamespaceFolderTarget.format.ps1xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225079 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolderTarget\DfsNamespaceFolderTarget.cdxml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225078 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolder\DfsNamespaceFolder.types.ps1xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225077 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolder\DfsNamespaceFolder.format.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225076 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolder\DfsNamespaceFolder.cdxml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225075 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceAccess\DfsNamespaceAccess.types.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225074 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceAccess\DfsNamespaceAccess.format.ps1xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225073 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceAccess\DfsNamespaceAccess.cdxml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225072 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespace\DfsNamespace.types.ps1xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225071 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespace\DfsNamespace.format.ps1xml Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225070 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespace\DfsNamespace.cdxml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225069 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\dfsn.psd1 Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225068 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADDSDeployment\ADDSDeployment.psd1 Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225067 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\replprov.mfl Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225066 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrwmiv2_uninstall.mfl Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225065 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrwmiv2.mfl Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225064 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrwmiv2.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225063 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrprovs.mfl Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225062 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsncimprov_Uninstall.mfl Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225061 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsncimprov.mfl Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225060 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\adstatus\en-US\trustmon.mfl Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225059 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\adstatus\en-US\trustmon.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225058 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\adstatus\trustmon.dll Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225057 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\ntdsa.mof Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225056 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\kdcsvc.mof Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225055 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrwmiv2_uninstall.mof Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225054 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrwmiv2.mof Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225053 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrwmiv2.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225052 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrprovs.mof Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225051 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsncimprov_Uninstall.mof Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225050 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsncimprov.mof Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225049 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\adwsmigrate.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225048 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\replprov.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225047 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\propshts.dll.mui Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225046 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrsutl.exe.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225045 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrsres.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225044 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrs.exe.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225043 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsperf.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225042 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsmsg.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225041 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsbmsg.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225040 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsatq.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225039 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsa.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225038 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ldifde.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225037 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\KdsSvc.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225036 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\kdcsvc.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225035 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\kdcpw.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225034 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ismserv.exe.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225033 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gptedit.msc Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225032 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPRSoP.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225031 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpregistrybrowser.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225030 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpprefcn.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225029 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpprefbr.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225028 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gppref.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225027 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPOAdminCustom.dll.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225026 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPOAdminCommon.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225025 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPOAdmin.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225024 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpmgmt.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225023 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpme.msc Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225022 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpme.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225021 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpmc.msc Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225020 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsrolesrv.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225019 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsutil.exe.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225018 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfssvc.exe.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225017 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrs.exe.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225016 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrress.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225015 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrPropagationStrings.xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225014 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrmig.exe.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225013 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DfsrHelper.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225012 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrHealthStrings.xml Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225011 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrHealthMessages.xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225010 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DfsRes.dll.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225009 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsncimprov.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225008 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DfsfrsHost.exe.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225007 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsdiag.exe.mui Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225006 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfscmd.exe.mui Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225005 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\csvde.dll.mui Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225004 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adprep.dll.mui Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225003 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en\mtedit.resources.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225002 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dfsrro.sys Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225001 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dfs.sys Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225000 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\schupgrade.cat Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224999 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch87.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224998 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch86.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224997 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch85.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224996 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch84.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224995 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch83.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224994 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch82.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224993 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch81.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224992 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch80.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224991 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch79.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224990 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch78.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224989 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch77.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224988 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch76.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224987 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch75.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224986 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch74.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224985 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch73.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224984 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch72.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224983 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch71.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224982 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch70.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224981 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch69.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224980 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch68.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224979 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch67.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224978 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch66.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224977 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch65.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224976 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch64.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224975 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch63.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224974 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch62.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224973 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch61.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224972 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch60.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224971 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch59.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224970 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch58.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224969 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch57.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224968 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch56.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224967 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch55.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224966 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch54.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224965 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch53.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224964 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch52.ldf Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224963 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch51.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224962 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch50.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224961 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch49.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224960 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch48.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224959 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch47.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224958 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch46.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224957 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch45.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224956 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch44.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224955 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch43.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224954 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch42.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224953 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch41.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224952 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch40.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224951 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch39.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224950 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch38.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224949 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch37.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224948 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch36.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224947 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch35.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224946 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch34.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224945 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch33.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224944 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch32.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224943 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch31.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224942 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch30.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224941 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch29.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224940 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch28.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224939 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch27.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224938 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch26.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224937 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch25.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224936 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch24.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224935 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch23.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224934 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch22.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224933 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch21.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224932 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch20.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224931 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch19.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224930 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch18.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224929 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch17.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224928 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch16.ldf Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224927 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch15.ldf Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224926 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch14.ldf Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224925 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\pas.ldf Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224924 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\ffa5ee3c-1405-476d-b344-7ad37d69cc25.dcpromo.csv Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224923 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\dcpromo.csv Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224922 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\dca8f425-baae-47cd-b424-e3f6c76ed08b.dcpromo.csv Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224921 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\a662b036-dbbe-4166-b4ba-21abea17f9cc.dcpromo.csv Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224920 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\4444c516-f43a-4c12-9c4b-b5c064941d61.dcpromo.csv Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224919 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\134428a8-0043-48a6-bcda-63310d9ec4dd.dcpromo.csv Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224918 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\00232167-f3a4-43c6-b503-9acb7a81b01c.dcpromo.csv Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224917 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ADDSDeployment_Internal\ADDSDeployment_Internal.psm1 Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224916 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ADDSDeployment_Internal\ADDSDeployment_Internal.psd1 Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224915 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TransformationRulesParser.exe Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224914 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\schema.ini Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224913 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SampleDCCloneConfig.xml Handle ID: 0xdc0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224912 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\replprov.mof Handle ID: 0x208 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224911 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\replprov.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224910 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\PwdSSP.dll Handle ID: 0x874 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224909 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsutl.exe Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224908 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsres.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224907 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsrep.ini Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224906 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsrep.h Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224905 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NTFRSPRF.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224904 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrscon.ini Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224903 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrscon.h Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224902 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrs.exe Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224901 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsperf.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224900 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsmsg.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224899 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdskcc.dll Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224898 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsetup.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224897 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsbsrv.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224896 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsbmsg.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224895 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsatq.dll Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224894 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsai.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224893 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsa.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224892 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mtedit.exe Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224891 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lsadb.dll Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224890 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ldifde.dll Handle ID: 0xde0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224889 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KdsSvc.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224888 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kdcsvc.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224887 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kdcpw.dll Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224886 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ismserv.exe Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224885 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ismip.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224884 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gptedit.msc Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224883 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPRSoP.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224882 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPOAdminCustom.dll Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224881 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPOAdminCommon.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224880 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPOAdmin.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224879 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpmgmt.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224878 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpme.msc Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224877 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpme.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224876 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpmc.msc Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224875 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsrolesrv.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224874 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsamain.exe Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224873 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsutil.exe Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224872 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfssvc.exe Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224871 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrs.exe Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224870 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrress.dll Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224869 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrPropagationReport.xsl Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224868 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrmig.exe Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224867 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DfsrHelper.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224866 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrHealthReport.xsl Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224865 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DfsRes.dll Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224864 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrapi.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224863 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsncimprov.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224862 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsfrsHost.exe Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224861 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DfsDiag.exe Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224860 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfscmd.exe Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224859 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DefaultDCCloneAllowList.XML Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224858 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DCCloneConfigSchema.xsd Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224857 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CustomDCCloneAllowListSchema.xsd Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224856 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\csvde.dll Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224855 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224854 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Rules\en-US\Rules.AD.xml Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224853 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Rules\Rules.AD.xml Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224852 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Reports\en-US\Report.AD.xml Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224851 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Reports\Report.AD.xml Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224850 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\NTDS\0409\ntds.ini Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224849 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\NTDS\0000\ntds.ini Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224848 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\NTDS\ntdsctr.h Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224847 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DirectoryServices\0409\ntdsctrs.ini Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224846 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DirectoryServices\0000\ntdsctrs.ini Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224845 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DirectoryServices\ntdsctr.h Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224844 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\en-US\adwsres.dll.mui Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224843 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\en\Microsoft.ActiveDirectory.WebServices.shared.resources.dll Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224842 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\en\Microsoft.ActiveDirectory.WebServices.resources.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224841 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.shared.dll Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224840 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224839 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\adwsres.dll Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224838 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\ActiveDirectoryDomainServices.Events.xml Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224837 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_event_viewer_views_serverroles_36b1368cd034c4a0.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224836 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224835 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224834 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224833 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224832 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224831 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224830 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_adws_en_9ef683327778e99a.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224829 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_adws_en-us_b35e8e0c695e6d21.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224828 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_adws_40103581a18c1e95.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224827 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_directoryservices_0000_305e975d8b02b78e.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224826 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_directoryservices_0409_305ea87b8b029dc9.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224825 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_directoryservices_b618ab98d94f9ec8.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224824 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ntds_0000_b76570db4564f96c.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224823 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ntds_0409_b765704b4564fab9.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224822 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ntds_0ef7086abde34382.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224821 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224820 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_reports_en-us_04eb81229a78dfb4.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224819 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_reports_a2604845b2b380ca.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224818 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_rules_en-us_8cd2a7c250e636a2.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224817 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_rules_0bde462ce96f215e.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224816 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_system_571618c4f89c6368.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224815 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_addsdeployment_internal_6dd790b76065b9c7.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224814 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_adprep_103763c9308d2cf6.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224813 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224812 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en_9da4492827ac64e5.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224811 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224810 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migration_927a21df1acd7c18.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224809 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_adstatus_en-us_598d775e25df3776.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224808 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_adstatus_3d598f1a257714d4.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224807 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_en-us_4555b1beb1c13883.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224806 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224805 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_addsdeployment_en-us_2a74edccc1769c65.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224804 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_addsdeployment_7c6e6fd78a5229e5.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224803 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespace_76cc4c037f1ec6b8.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224802 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespaceaccess_fafeb1eac22b971e.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224801 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespacefolder_fa628b96c354deb2.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224800 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespacefoldertarget_93cbfec69ca8dba5.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224799 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespaceroottarget_73120b72a6f80f93.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224798 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespaceserverconfig_91d2af3f6ce50f5d.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224797 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_6a826925d13e6565.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224796 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_grouppolicy_en-us_97cae6696b4b501f.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224795 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_grouppolicy_b883802c54ca5457.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224794 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224793 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224792 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224791 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_en-us_9e576ab077991fe8.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224790 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_grouppolicy_en-us_1786904f38608857.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224789 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_grouppolicy_f160218b6d329add.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224788 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224787 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224786 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224785 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0xcb0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224784 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0xddc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 09:00:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225130 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DfsrRo\Instances\DfsrRo Handle ID: 0xca0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;FA;KA;;;WD) 10/09/2020 09:00:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225129 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DfsrRo\Instances Handle ID: 0xca8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;FA;KA;;;WD) 10/09/2020 09:01:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225136 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225135 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225134 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225133 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225132 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225131 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225167 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xC00E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225166 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xC00E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225165 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225164 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225163 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBECE0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225162 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBECE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225161 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225160 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225159 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBEC14 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225158 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBEC14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225157 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225156 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225155 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE903 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225154 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE903 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225153 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225152 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225151 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8804B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225150 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE8AE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225149 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8846A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225148 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE8AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225147 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE8AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225146 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225145 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225144 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE874 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225143 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE874 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225142 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE874 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225141 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225140 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225139 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8A4B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225138 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x89997 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225137 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x8850C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225171 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xC0AC0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225170 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xC0AC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225169 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225168 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225176 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xCC68A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225175 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xCC68A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225174 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225173 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225172 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xC0AC0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225177 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x31A0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225193 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Access Granted: Access Right: SeNetworkLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225192 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Access Granted: Access Right: SeInteractiveLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225191 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Print Operators Access Granted: Access Right: SeInteractiveLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225190 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Account Operators Access Granted: Access Right: SeInteractiveLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225189 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Users Access Removed: Access Right: SeNetworkLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225188 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Pre-Windows 2000 Compatible Access Access Granted: Access Right: SeNetworkLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225187 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: NT AUTHORITY\Authenticated Users Access Granted: Access Right: SeNetworkLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225186 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Server Operators Access Granted: Access Right: SeInteractiveLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225185 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Backup Operators Access Removed: Access Right: SeNetworkLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225184 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Remote Desktop Users Access Removed: Access Right: SeRemoteInteractiveLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225183 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Users Access Removed: Access Right: SeInteractiveLogonRight 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225182 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xD7635 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225181 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xD7635 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225180 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225179 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225178 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xCC68A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225200 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\sysvol Handle ID: 0x660 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICISA;SD;;;WD) 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225199 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\sysvol\attackrange.local Handle ID: 0x6a8 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;SD;;;WD) 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225198 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain Handle ID: 0x660 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225197 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\scripts Handle ID: 0x660 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225196 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\Policies Handle ID: 0x660 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225195 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} Handle ID: 0x660 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 10/09/2020 09:01:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225194 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} Handle ID: 0x660 Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225227 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114EE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225226 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114EE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225225 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225224 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225223 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114E47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225222 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114E47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225221 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225220 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225219 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114BE7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225218 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114BE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225217 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225216 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225215 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBE903 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225214 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114B93 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225213 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBEC14 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225212 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114B93 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225211 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114B93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225210 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225209 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225208 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114B63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225207 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114B63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225206 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114B63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225205 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225204 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225203 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xD7635 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225202 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xC00E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225201 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0xBECE0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225235 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11787E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225234 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11787E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225233 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225232 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225231 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x116310 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225230 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x116310 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225229 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225228 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225249 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11B9B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225248 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114E47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225247 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11B9B5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225246 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11B9B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225245 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225244 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225243 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11B933 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225242 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11B933 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225241 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11B933 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225240 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225239 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225238 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11787E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225237 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x116310 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225236 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x114EE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225280 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11E59D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225279 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11E59D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225278 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225277 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225276 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CD76 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225275 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CD76 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225274 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CD76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225273 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225272 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225271 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CCC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225270 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CCC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225269 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225268 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225267 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CC88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225266 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CC88 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225265 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11CC88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225264 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225263 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=225262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BE3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BE3B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BE3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225258 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BD82 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BD82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225255 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225254 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=225253 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BA68 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225252 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x11BA68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=225251 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:01:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=225250 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:01:58 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-dc-1796611 TaskCategory=Service shutdown OpCode=Info RecordNumber=225281 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 09:02:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225286 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225285 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225284 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225283 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=225282 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 09:02:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225290 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225289 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225288 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225287 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225294 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=225293 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 09:02:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225292 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x35c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=225291 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:02:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=225295 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x56FD 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225397 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225396 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225395 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Key Admins Group Name: Enterprise Key Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225394 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Key Admins Group Name: Enterprise Key Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Enterprise Key Admins SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225393 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Key Admins Group Name: Key Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225392 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Key Admins Group Name: Key Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Key Admins SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225391 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Protected Users Group Name: Protected Users Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225390 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Protected Users Group Name: Protected Users Group Domain: ATTACKRANGE Attributes: SAM Account Name: Protected Users SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225389 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Cloneable Domain Controllers Group Name: Cloneable Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225388 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Cloneable Domain Controllers Group Name: Cloneable Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Cloneable Domain Controllers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225387 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225386 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Read-only Domain Controllers Account Name: CN=Read-only Domain Controllers,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225385 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Read-only Domain Controllers Group Name: Enterprise Read-only Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225384 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Read-only Domain Controllers Group Name: Enterprise Read-only Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Enterprise Read-only Domain Controllers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225383 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225382 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225381 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Read-only Domain Controllers Group Name: Read-only Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225380 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Read-only Domain Controllers Group Name: Read-only Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Read-only Domain Controllers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225379 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225378 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\krbtgt Account Name: CN=krbtgt,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225377 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225376 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Controllers Account Name: CN=Domain Controllers,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225375 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225374 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Cert Publishers Account Name: CN=Cert Publishers,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225373 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225372 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Admins Account Name: CN=Domain Admins,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225371 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225370 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Group Policy Creator Owners Account Name: CN=Group Policy Creator Owners,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225369 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225368 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Attributes: SAM Account Name: Denied RODC Password Replication Group SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225367 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Allowed RODC Password Replication Group Group Name: Allowed RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225366 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Allowed RODC Password Replication Group Group Name: Allowed RODC Password Replication Group Group Domain: ATTACKRANGE Attributes: SAM Account Name: Allowed RODC Password Replication Group SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225365 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225364 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225363 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225362 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Account Name: - Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225361 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225360 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: NT AUTHORITY\Authenticated Users Account Name: - Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225359 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225358 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225357 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4756 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225356 Keywords=Audit Success Message=A member was added to a security-enabled universal group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Enterprise Admins Account Name: Enterprise Admins Account Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225355 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4756 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225354 Keywords=Audit Success Message=A member was added to a security-enabled universal group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Schema Admins Account Name: Schema Admins Account Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225353 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225352 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225351 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225350 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Guests Account Name: - Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225349 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225348 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Users Account Name: - Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225347 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225346 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225345 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Terminal Server License Servers Group Name: Terminal Server License Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225344 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Terminal Server License Servers Group Name: Terminal Server License Servers Group Domain: Builtin Attributes: SAM Account Name: Terminal Server License Servers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225343 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225342 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Attributes: SAM Account Name: Windows Authorization Access Group SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225341 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Incoming Forest Trust Builders Group Name: Incoming Forest Trust Builders Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225340 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Incoming Forest Trust Builders Group Name: Incoming Forest Trust Builders Group Domain: Builtin Attributes: SAM Account Name: Incoming Forest Trust Builders SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225339 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225338 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Attributes: SAM Account Name: Pre-Windows 2000 Compatible Access SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225337 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Account Operators Group Name: Account Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225336 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Account Operators Group Name: Account Operators Group Domain: Builtin Attributes: SAM Account Name: Account Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225335 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Server Operators Group Name: Server Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225334 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Server Operators Group Name: Server Operators Group Domain: Builtin Attributes: SAM Account Name: Server Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225333 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\RAS and IAS Servers Group Name: RAS and IAS Servers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225332 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\RAS and IAS Servers Group Name: RAS and IAS Servers Group Domain: ATTACKRANGE Attributes: SAM Account Name: RAS and IAS Servers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225331 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225330 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Attributes: SAM Account Name: Group Policy Creator Owners SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225329 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Guests Group Name: Domain Guests Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225328 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Guests Group Name: Domain Guests Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Guests SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225327 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Users Group Name: Domain Users Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225326 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Users Group Name: Domain Users Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Users SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225325 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225324 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Admins SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225323 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Cert Publishers Group Name: Cert Publishers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225322 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Cert Publishers Group Name: Cert Publishers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Cert Publishers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225321 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225320 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Enterprise Admins SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225319 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225318 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Schema Admins SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225317 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Controllers Group Name: Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225316 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Controllers Group Name: Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Controllers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225315 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Computers Group Name: Domain Computers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225314 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Computers Group Name: Domain Computers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Computers SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=225313 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=225312 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 10/9/2020 9:02:37 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=225311 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x11 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4720 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=225310 Keywords=Audit Success Message=A user account was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Attributes: SAM Account Name: krbtgt Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: SID History: - Logon Hours: Additional Information: Privileges - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225309 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 10/9/2020 9:02:37 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225308 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Trusted For Delegation' - Enabled User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4722 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=225307 Keywords=Audit Success Message=A user account was enabled. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4741 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225306 Keywords=Audit Success Message=A computer account was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Computer Account: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Attributes: SAM Account Name: WIN-DC-1796611$ Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 516 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x105 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Server Trust Account' - Enabled User Parameters: SID History: - Logon Hours: DNS Host Name: - Service Principal Names: - Additional Information: Privileges - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225305 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225304 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225303 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225302 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225301 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225300 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225299 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225298 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225297 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:02:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225296 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=225417 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=225416 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=225415 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=225414 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=225413 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225412 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225411 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=225410 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225409 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xACE9 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225408 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xAD0C Linked Logon ID: 0xACE9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225407 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xACE9 Linked Logon ID: 0xAD0C Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225406 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225405 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225404 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225403 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225402 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225401 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225400 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225399 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:02:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225398 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225419 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:02:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225418 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:02:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225421 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225420 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225423 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x35c Process Name: C:\Windows\System32\lsass.exe 10/09/2020 09:02:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225422 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x35c Process Name: C:\Windows\System32\lsass.exe 10/09/2020 09:02:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225425 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225424 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225446 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225445 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225444 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225443 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225442 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225441 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225440 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225439 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225438 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225437 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225436 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225435 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225434 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225432 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x285CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225431 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225430 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225429 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225428 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225427 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:02:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225426 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225447 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 10/9/2020 9:03:05 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225480 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3065A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225479 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x305E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3065A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49702 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225477 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3065A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225476 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x305E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225475 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x305E4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225474 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30560 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30560 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30406 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49697 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225471 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30406 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225470 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3032F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49688 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225469 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3032F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225468 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x302E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49686 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225467 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x302E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49675 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225466 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x302E7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225465 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x302E3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225464 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x302DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49685 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225463 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {99BAF601-1A43-F4BD-5C5B-7396D87E9BCD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225462 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x302DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225461 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30228 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225460 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30228 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49692 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225459 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30228 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225458 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30115 New Group: Security ID: ATTACKRANGE\DnsUpdateProxy Group Name: DnsUpdateProxy Group Domain: ATTACKRANGE Attributes: SAM Account Name: DnsUpdateProxy SID History: - Additional Information: Privileges: - 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225457 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3019A Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-1796611.attackrange.local/attackrange.local ldap/win-dc-1796611.attackrange.local ldap/WIN-DC-1796611 ldap/win-dc-1796611.attackrange.local/ATTACKRANGE ldap/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local ldap/WIN-DC-1796611/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/56b2badd-17fa-404a-9152-594780d23fa4/attackrange.local HOST/win-dc-1796611.attackrange.local/attackrange.local HOST/win-dc-1796611.attackrange.local HOST/WIN-DC-1796611 HOST/win-dc-1796611.attackrange.local/ATTACKRANGE HOST/WIN-DC-1796611/ATTACKRANGE RPC/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-1796611 RestrictedKrbHost/win-dc-1796611.attackrange.local GC/win-dc-1796611.attackrange.local/attackrange.local DNS/win-dc-1796611.attackrange.local Additional Information: Privileges: - 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225455 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3019A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49691 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225454 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3019A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225453 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\DnsAdmins Group Name: DnsAdmins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225452 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: ATTACKRANGE\DnsAdmins Group Name: DnsAdmins Group Domain: ATTACKRANGE Attributes: SAM Account Name: DnsAdmins SID History: - Additional Information: Privileges: - 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225451 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30115 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49689 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225450 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30115 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225449 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {99BAF601-1A43-F4BD-5C5B-7396D87E9BCD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225448 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225569 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x302E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225568 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31D3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225567 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31D3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49705 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225566 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31D3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225565 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2CED9E8A-B9F9-5CD5-96C6-55486C3870BE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225564 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31C07 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225563 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31C58 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225562 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31C58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49704 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225561 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31C58 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225560 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2CED9E8A-B9F9-5CD5-96C6-55486C3870BE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225559 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31C07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49702 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225558 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31C07 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225557 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31AE2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225556 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31AE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225555 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31AE2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225554 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31940 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225553 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x319B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225552 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x319B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49683 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225551 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x319B9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225550 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31940 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49682 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225549 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31940 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225548 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31829 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225547 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31829 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49681 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225546 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31829 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225545 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x316CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225544 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x316CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225543 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3163C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225542 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3163C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225541 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x315BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225540 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x315BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225539 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x314F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225538 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x314F6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225537 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3143C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3143C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x313A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x313A6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3132B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3132B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225531 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x312B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225530 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x312B1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31239 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225528 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31239 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225527 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x311BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225526 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x311BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225525 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31141 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225524 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31141 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225523 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x310BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225522 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x310BA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225521 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31042 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225520 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31042 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225519 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30FC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225518 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30FC0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225517 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30F4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225516 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30F4A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225515 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30E47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225514 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30E47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 60609 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30E47 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30E35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225511 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30E35 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225510 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30D82 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225509 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30D82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 60607 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225508 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30D82 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225507 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225506 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30D5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225505 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30BFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225504 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30BFD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225503 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xad8 Process Name: C:\Windows\System32\dfsrs.exe 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225502 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xad8 Process Name: C:\Windows\System32\dfsrs.exe 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225501 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30AA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225500 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30AF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30AF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30AA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 53272 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30AA9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x309D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225495 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x309D0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225494 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2CED9E8A-B9F9-5CD5-96C6-55486C3870BE} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225493 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2CED9E8A-B9F9-5CD5-96C6-55486C3870BE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225492 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x308A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225491 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3082E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x308A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49706 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x308A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225487 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x307E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225486 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3082E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49705 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225485 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3082E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225484 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x307E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49704 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225483 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x307E2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225482 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30771 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49703 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225481 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30771 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225575 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31EEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225574 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31EEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49707 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225573 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31EEE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225572 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31E8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225571 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31E8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49706 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225570 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31E8C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225577 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x32279 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49708 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225576 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x32279 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225617 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3580F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225616 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3580F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56934 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225615 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3580F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225614 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34C98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225613 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34CA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225612 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34CA9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225611 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53415 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225610 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34C98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225609 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34AC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225608 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34AC1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225606 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34969 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225605 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34969 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225604 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34862 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225603 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34862 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225602 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x346CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225601 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x346CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225600 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34358 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225599 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34481 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225597 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34481 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 62318 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225596 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34481 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225594 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x343D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225593 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x343D5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225591 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34358 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49713 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225590 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34358 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225589 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34134 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225588 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3427A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225586 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3427A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49712 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225585 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3427A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225582 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3419D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7ABC6CE7-5285-BFA5-31B1-B2BF5C2CB739} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49711 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225581 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3419D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225580 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EE2D892F-3C11-93A5-A38B-B80552275E21} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225579 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34134 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49709 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225578 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34134 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225629 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225628 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225627 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225626 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225625 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225624 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225622 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225621 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225620 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9cc Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225619 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:03:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225618 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225634 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3878E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225633 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3878E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8F59F734-4538-89BA-C66C-2FF2280DBCCD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56935 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3878E Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 10/09/2020 09:03:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225631 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8E046A18-2B52-BA1C-0D56-523EAA111BA3} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225630 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225654 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3D1A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225653 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3D1A0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225652 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x38B46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4713 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225651 Keywords=Audit Success Message=Kerberos policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Changes Made: ('--' means no changes, otherwise each change is shown as: (Parameter Name): (new value) (old value)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9 (none); 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4739 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=225650 Keywords=Audit Success Message=Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Domain: Domain Name: ATTACKRANGE Domain ID: ATTACKRANGE\ Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Account Quota: - Mixed Domain Mode: 7 Domain Behavior Version: 24 OEM Information: - Additional Information: Privileges: - 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225649 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x391FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225648 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x391FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D830101F-5339-028B-94B2-11EB21EF7750} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225647 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x391FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225646 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x38C46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225645 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x38C8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225644 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x38C8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56938 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225643 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x38C8A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225642 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x38C46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D830101F-5339-028B-94B2-11EB21EF7750} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225641 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x38C46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225640 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7B087596-8073-47FC-6529-53B3A8C20CDE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225639 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x38B46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56937 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225638 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x38B46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225637 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3891E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225636 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3891E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56936 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225635 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3891E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225656 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3D7E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:30db:219:f5ff:fef1 Source Port: 56940 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225655 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3D7E0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225679 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3D1A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225678 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x403CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225677 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x405BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225676 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x405BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73096C49-C340-E927-7AF1-18733C043020} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225675 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x405BD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225674 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9CAF48A2-7D6A-7309-FF32-E81ED1D7EEAB} Target Server: Target Server Name: win-dc-1796611$ Additional Information: win-dc-1796611$ Process Information: Process ID: 0xd08 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225673 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9CAF48A2-7D6A-7309-FF32-E81ED1D7EEAB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225672 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225671 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x403CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:30db:219:f5ff:fef1 Source Port: 56943 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225670 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x403CC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225669 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3ED07 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225668 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3FA1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225667 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3FA1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73096C49-C340-E927-7AF1-18733C043020} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225666 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3FA1A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225665 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9CAF48A2-7D6A-7309-FF32-E81ED1D7EEAB} Target Server: Target Server Name: win-dc-1796611$ Additional Information: win-dc-1796611$ Process Information: Process ID: 0xd08 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225664 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9CAF48A2-7D6A-7309-FF32-E81ED1D7EEAB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225663 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225662 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3ED07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:30db:219:f5ff:fef1 Source Port: 56942 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225661 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3ED07 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225660 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E87C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225659 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3E87C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56941 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225658 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E87C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225657 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3D7E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x47206 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D42D2517-B730-5C60-440A-55E3B141F96C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225688 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47206 Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225687 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C6DC453D-425A-DD75-A81C-A81EF40E5339} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225686 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C6DC453D-425A-DD75-A81C-A81EF40E5339} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225685 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x46970 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-1796611.attackrange.local/attackrange.local ldap/win-dc-1796611.attackrange.local ldap/WIN-DC-1796611 ldap/win-dc-1796611.attackrange.local/ATTACKRANGE ldap/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local ldap/WIN-DC-1796611/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/56b2badd-17fa-404a-9152-594780d23fa4/attackrange.local HOST/win-dc-1796611.attackrange.local/attackrange.local HOST/win-dc-1796611.attackrange.local HOST/WIN-DC-1796611 HOST/win-dc-1796611.attackrange.local/ATTACKRANGE HOST/WIN-DC-1796611/ATTACKRANGE RPC/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-1796611 RestrictedKrbHost/win-dc-1796611.attackrange.local GC/win-dc-1796611.attackrange.local/attackrange.local DNS/win-dc-1796611.attackrange.local ldap/win-dc-1796611.attackrange.local/DomainDnsZones.attackrange.local ldap/win-dc-1796611.attackrange.local/ForestDnsZones.attackrange.local TERMSRV/win-dc-1796611.attackrange.local TERMSRV/WIN-DC-1796611 Additional Information: Privileges: - 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=225683 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x46970 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-1796611.attackrange.local/attackrange.local ldap/win-dc-1796611.attackrange.local ldap/WIN-DC-1796611 ldap/win-dc-1796611.attackrange.local/ATTACKRANGE ldap/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local ldap/WIN-DC-1796611/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/56b2badd-17fa-404a-9152-594780d23fa4/attackrange.local HOST/win-dc-1796611.attackrange.local/attackrange.local HOST/win-dc-1796611.attackrange.local HOST/WIN-DC-1796611 HOST/win-dc-1796611.attackrange.local/ATTACKRANGE HOST/WIN-DC-1796611/ATTACKRANGE RPC/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-1796611 RestrictedKrbHost/win-dc-1796611.attackrange.local GC/win-dc-1796611.attackrange.local/attackrange.local DNS/win-dc-1796611.attackrange.local ldap/win-dc-1796611.attackrange.local/DomainDnsZones.attackrange.local ldap/win-dc-1796611.attackrange.local/ForestDnsZones.attackrange.local TERMSRV/win-dc-1796611.attackrange.local Additional Information: Privileges: - 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x46970 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56945 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:03:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225680 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x46970 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:03:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225690 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x32279 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225698 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47D0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225697 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x47D0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 51069 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225696 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47D0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225695 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x47CD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51068 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225694 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47CD1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225693 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47C98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225692 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x47C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 51067 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:04:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225691 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47C98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:05:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225701 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4B87C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:05:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225700 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4B87C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 51070 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:05:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225699 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4B87C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:05:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225702 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3032F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:05:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225703 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x46970 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:05:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225704 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3019A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225707 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4DA04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225706 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4DA04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 51073 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225705 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4DA04 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225734 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x309D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225733 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30AF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225732 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30BFD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225731 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30D5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225730 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30E35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225729 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30F4A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225728 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30FC0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225727 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31042 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225726 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x310BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225725 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31141 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225724 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x311BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225723 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x31239 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225722 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x312B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225721 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3132B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225720 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x313A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225719 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3143C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225718 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x314F6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225717 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x315BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225716 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3163C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225715 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x316CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x343D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225713 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x346CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225712 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34862 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225711 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34969 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225710 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34AC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225709 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x34CA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225708 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x47206 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225774 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FFDE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225773 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FFDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225772 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225771 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225770 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225769 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FF65 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225768 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FF65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225767 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225766 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225765 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225764 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FD1A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225763 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FD1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225762 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225761 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225760 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225759 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FCEC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225758 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FCEC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225757 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FCEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225756 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225755 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225754 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225753 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4EBA5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225752 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4EBA5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4EBA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225750 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225749 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225748 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225747 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4EB2B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225746 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4EB2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225745 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225744 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225743 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=225742 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225741 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E464 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225740 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E464 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225739 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225738 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {478BEFA2-CCC0-46AC-0785-A49E480C8E34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225737 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=225736 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:06:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=225735 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x526EA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x526EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225811 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225810 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225809 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x52286 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225808 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x52286 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225807 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225806 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225805 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225804 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50E56 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225803 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50E56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225802 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225801 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225800 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225799 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50DD1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225798 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50DD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225797 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225796 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225795 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225794 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B86 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225793 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225792 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225791 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225790 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FD1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225788 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225787 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FF65 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225786 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B35 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225785 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225784 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225783 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225782 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225781 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225780 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B19 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225779 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225778 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225777 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {158FE649-AF40-64C5-EF28-D747E3433B2B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225776 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:06:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225775 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FFDE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:06:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225816 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:06:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225815 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A624 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A624 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225845 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225844 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225843 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A596 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225842 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A596 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225841 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225840 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225839 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225838 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A34B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225837 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A34B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225836 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225835 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225834 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225833 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50B86 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225832 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A314 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225831 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50DD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225830 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A314 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225829 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A314 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225828 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225827 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225826 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225825 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A2F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225824 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A2F8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225823 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A2F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225822 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225821 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8F457C5B-4088-FD3E-9A42-1DBCE29D9019} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225820 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225819 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x526EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225818 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x52286 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225817 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50E56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225858 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5BF8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225857 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5BF8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {07114AE6-B342-24CE-9F92-A6F6301D7854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225856 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {07114AE6-B342-24CE-9F92-A6F6301D7854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225855 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {07114AE6-B342-24CE-9F92-A6F6301D7854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225854 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5BA3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5BA3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {07114AE6-B342-24CE-9F92-A6F6301D7854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {07114AE6-B342-24CE-9F92-A6F6301D7854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225850 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {07114AE6-B342-24CE-9F92-A6F6301D7854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225849 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225895 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5DC32 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225894 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5DC32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225893 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225892 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225891 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225890 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C81F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225889 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C81F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225888 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225887 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225886 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225885 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C794 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225884 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C794 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225883 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225882 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225881 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225880 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C549 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225879 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C549 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225878 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225877 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225876 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225875 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A34B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225874 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C512 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A596 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225872 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C512 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225871 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C512 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225870 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225869 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225868 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225867 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C4F6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225866 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C4F6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225865 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C4F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225864 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225863 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5C3FDD91-8CC3-DBB4-8B37-F4A5560364BA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225862 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225861 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5BF8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225860 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5BA3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225859 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A624 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225900 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5E489 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5E489 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02947CB0-18EF-AEBE-A54E-A5F754E84C62} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225898 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02947CB0-18EF-AEBE-A54E-A5F754E84C62} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225897 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02947CB0-18EF-AEBE-A54E-A5F754E84C62} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225896 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225937 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x60C28 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225936 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x60C28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225935 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225934 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225933 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225932 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F817 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225931 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F817 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225930 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225929 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225928 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225927 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F785 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225926 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F785 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225925 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225924 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225923 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225922 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F53A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225921 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F53A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225920 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225919 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225918 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225917 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C549 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225916 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F505 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C794 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225914 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F505 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225913 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F505 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225912 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225911 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225910 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225909 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F4E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225908 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F4E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225907 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F4E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225906 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225905 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C9F34CA-A378-B272-1FA7-730B92B9FFFD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225904 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225903 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5E489 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5DC32 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225901 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C81F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225942 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6147C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225941 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6147C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5789EE41-94F4-7734-1463-ED6706CD3493} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225940 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5789EE41-94F4-7734-1463-ED6706CD3493} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225939 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5789EE41-94F4-7734-1463-ED6706CD3493} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225938 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225944 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225943 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225947 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x6F781 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225946 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6F781 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 51078 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225945 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x6F781 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225969 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75171 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225968 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F785 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225967 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75171 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225966 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75171 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225965 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225964 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225963 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225962 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75155 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225961 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75155 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225960 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75155 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225959 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225958 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225957 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225956 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x74DCD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225955 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x60C28 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225954 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5F817 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225953 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x74DCD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x74DCD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225951 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225950 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E01EB191-8DC7-14F8-0C70-BEBDDBF430D6} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225949 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225948 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6147C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225994 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77739 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225993 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77739 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225992 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225991 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225990 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225989 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x769F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225988 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x769F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225987 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225986 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225985 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225984 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75540 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225983 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75540 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225982 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225981 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225980 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225979 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x754B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225978 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x754B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225977 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225976 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225975 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=225974 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x751B9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225973 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x751B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=225972 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225971 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {397E4CEB-7A82-FF3A-802B-221B6D9D875E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225970 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226026 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ABBE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226025 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ABBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226024 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226023 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226022 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226021 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7AB3C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226020 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7AB3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226019 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226018 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226017 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226016 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A8F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226015 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A8F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226014 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226013 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226012 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226011 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x751B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226010 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A750 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226009 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x754B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226008 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A750 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226007 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A750 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226006 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226005 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226004 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226003 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A734 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226002 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A734 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226001 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A734 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226000 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=225999 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B437182F-665D-BA30-3B32-D886A8AAA7C8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=225998 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225997 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77739 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225996 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x769F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=225995 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75540 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226068 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CE02 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226067 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CE02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226066 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226065 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226064 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226063 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CD8A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226062 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CD8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226061 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226060 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226059 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226058 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CB3B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226057 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CB3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226056 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226055 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226054 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226053 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A8F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226052 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CB04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226051 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7AB3C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226050 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CB04 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226049 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CB04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226048 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226047 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226046 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226045 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CAE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226044 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CAE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226043 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CAE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226042 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226041 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226040 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CA76 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226038 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7BFF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226037 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ABBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226036 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CA76 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226035 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CA76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226034 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226033 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226032 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226031 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7BFF9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226030 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7BFF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226029 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226028 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {19A535B9-5F38-CD69-9628-C4931A9A1266} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226027 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226090 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FCDA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226089 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FCDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226088 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226087 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226086 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226085 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E8B3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226084 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E8B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226083 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226082 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226081 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226080 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E80E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226079 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E80E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226078 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226077 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226076 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226075 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E7E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226074 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E7E8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226073 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E7E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226072 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226071 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BE6F9D93-2859-45CD-571D-D8134C2B890C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226070 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226069 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CE02 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226119 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82FBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226118 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82FBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226117 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226116 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226115 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226114 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82F43 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226113 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82F43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226112 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226111 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226110 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226109 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82ECE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226108 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82ECE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226107 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226106 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226105 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226104 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82EB2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226103 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82EB2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226102 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82EB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226101 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226100 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226099 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226098 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8057C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226097 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FCDA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226096 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E8B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226095 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8057C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226094 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8057C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226093 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226092 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BDDFB8E9-8B2B-1A3C-5839-364A3E3E4275} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226091 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226160 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85816 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226159 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85816 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226158 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226157 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226156 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226155 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x857AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226154 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x857AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226153 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226152 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226151 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226150 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85792 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226149 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85792 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226148 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85792 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226147 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226146 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226145 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226144 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85216 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226143 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83CD4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226142 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85216 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226141 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85216 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226140 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226139 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226138 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226137 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83CD4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226136 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83CD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226135 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226134 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226133 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226132 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83C5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226131 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83C5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226130 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226129 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226128 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226127 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83C40 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226126 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83C40 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226125 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83C40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226124 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226123 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EA319A23-3A72-1EC8-9D50-0C4E471B2DCE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226122 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226121 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82FBD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226120 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82F43 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226199 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8871C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226198 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8871C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226197 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226196 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226195 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226194 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x872E0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226193 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x872E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226192 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226191 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226190 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226189 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87261 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226188 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87261 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226187 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226186 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226185 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226184 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87016 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226183 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87016 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226182 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226181 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226180 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226179 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CB3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226178 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86FE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226177 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7E80E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226176 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CD8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226175 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x83C5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226174 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82ECE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226173 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x857AE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226172 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86FE1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226171 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86FE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226170 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226169 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226168 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226167 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86FC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226166 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86FC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226165 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86FC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226164 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226163 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BE66068-D6C2-6BE7-0916-F740E3E07828} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226162 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226161 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85816 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226252 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C079 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226251 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C079 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226250 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226249 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226248 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226247 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8AC5A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226246 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8AC5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226245 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226244 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226243 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226242 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ABD6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226241 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ABD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226240 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226239 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226238 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226237 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ABBA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226236 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ABBA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226235 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ABBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226234 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226233 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226232 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226231 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89304 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226230 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89304 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226229 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89304 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226228 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226227 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226226 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226225 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89285 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226224 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89285 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226223 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226222 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226221 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226220 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8903A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226219 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8903A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226218 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226217 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226216 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226215 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87016 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226214 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89002 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226213 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87261 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226212 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89002 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226211 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89002 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226210 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226209 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226208 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226207 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88FE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226206 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88FE6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226205 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88FE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226204 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226203 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02B1DCD3-DF1C-9611-0C7F-31BE92164A55} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226202 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226201 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8871C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226200 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x872E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C80D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C80D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E4CBCCD4-1024-4445-C419-79AF4BF0796C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226255 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E4CBCCD4-1024-4445-C419-79AF4BF0796C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226254 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E4CBCCD4-1024-4445-C419-79AF4BF0796C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226253 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226304 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F0E3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226303 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F0E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226302 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226301 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226300 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DCAF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DCAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226297 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226296 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226295 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226294 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DC39 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DC39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226292 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226291 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226290 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226289 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DC1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DC1D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DC1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226286 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226285 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226284 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226283 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CF8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226282 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CF11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226281 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CF8E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226280 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CF8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226279 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226278 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226277 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226276 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CF11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226275 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CF11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226274 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226273 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226272 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226271 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CEAB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226270 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CEAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226269 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226268 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226267 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226266 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CE8F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226265 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CE8F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226264 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CE8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226263 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226262 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {72380A6A-241B-10C5-50D2-AE1856623259} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226261 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226260 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C80D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226259 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C079 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226258 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8AC5A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226361 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9240F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226360 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9240F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226359 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226358 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226357 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226356 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90FD4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226355 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90FD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226354 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226353 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226352 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226351 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90F59 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226350 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90F59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226349 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226348 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226347 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226346 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90D0E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226345 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90D0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226344 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226343 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226342 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226341 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8903A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226340 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90CD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226339 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F5FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226338 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89285 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226337 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CEAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226336 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ABD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226335 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DC39 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226334 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90CD9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226333 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90CD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226332 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226331 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226330 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226329 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90CBD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226328 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90CBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226327 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90CBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226326 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226325 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226324 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226323 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F68A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226322 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F68A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226321 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F68A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226320 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226319 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226318 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226317 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F5FE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226316 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F5FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226315 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226314 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226313 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226312 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F5E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226311 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F5E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226310 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F5E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226309 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226308 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8AE1CC9B-4353-C0CC-FF62-6389E3896D03} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226307 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226306 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8F0E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226305 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8DCAF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226403 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94463 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226402 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94463 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226401 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226400 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226399 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226398 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9301F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226397 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9301F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226396 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226395 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226394 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226393 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92FA6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226392 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92FA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226391 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226390 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226389 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226388 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D5B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226387 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226386 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226385 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226384 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226383 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90D0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226382 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226381 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90F59 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226380 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D26 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226379 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226378 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226377 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226376 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226375 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D0A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226374 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D0A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226373 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226372 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226371 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226370 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226369 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92C7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226368 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9240F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226367 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x90FD4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226366 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92C7F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226365 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92C7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226364 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226363 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {539E706B-02A2-3ED6-4DD1-3CAF0D901E19} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226362 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226456 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97046 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226455 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97046 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226454 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226453 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226452 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226451 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9702A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226450 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9702A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226449 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9702A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226448 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226447 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226446 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226445 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96388 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226444 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96314 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226443 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96388 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226442 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96388 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226441 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226440 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226439 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226438 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96314 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226437 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96314 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226436 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226435 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226434 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226433 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x962A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226432 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x962A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226431 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226430 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226429 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226428 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9628A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226427 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9628A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226426 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9628A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226425 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226424 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226423 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226422 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x949C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226421 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x949C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226420 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x949C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226419 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226418 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226417 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226416 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94964 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226415 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94964 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226414 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226413 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226412 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226411 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94948 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226410 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94948 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226409 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94948 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226408 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226407 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226406 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226405 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94463 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226404 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9301F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226484 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x98A5E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226483 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x98A5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226482 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226481 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226480 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226479 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x989FF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x989FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226477 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226476 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226475 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226474 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x989E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x989E3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x989E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226471 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226470 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226469 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226468 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x984D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226467 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x970BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226466 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x984D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226465 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x984D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226464 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226463 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B6DFB3F-D4EB-6FBD-15EE-B4031ECC1FFB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226462 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226461 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x970BB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226460 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x970BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226459 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226458 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B0E3558-A684-1C74-E97A-163145D223FA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226457 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226523 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B7F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226522 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B7F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226521 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226520 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226519 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226518 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A3C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226517 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A3C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226516 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226515 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226514 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A345 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A345 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226511 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226510 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226509 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226508 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0FA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226507 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226506 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226505 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226504 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226503 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92D5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226502 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226501 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92FA6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226500 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x94964 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x962A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226498 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x989FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226497 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97046 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226496 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0C5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226495 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226494 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226493 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226492 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226491 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0A9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226488 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226487 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B8D5F7A2-5643-38E6-5FBE-62ADA932BACB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226486 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226485 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x98A5E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226565 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D836 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226564 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D836 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226563 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226562 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226561 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226560 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C3FF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226559 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C3FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226558 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226557 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226556 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226555 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C37A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226554 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C37A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226553 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226552 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226551 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226550 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C12F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226549 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C12F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226548 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226547 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226546 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226545 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A0FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226544 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C0FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226543 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A345 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226542 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C0FA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226541 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C0FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226540 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226539 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226538 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226537 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C0DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C0DE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C0DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226534 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226533 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226532 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226531 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C06D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226530 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B7F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226529 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9A3C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226528 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C06D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226527 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C06D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226526 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226525 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {537D22DA-12AA-60F4-B467-C430EFBAF783} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226524 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226628 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1894 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226627 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1894 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226626 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226625 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226624 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA0470 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226622 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA0470 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226621 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226620 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226619 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226618 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA03F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226617 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA03F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226616 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226615 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226614 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226613 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA03DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226612 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA03DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226611 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA03DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226610 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226609 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226608 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F756 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226606 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F6E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226605 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F756 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226604 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F756 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226603 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226602 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226601 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226600 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F6E0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226599 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F6E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226598 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226597 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226596 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226595 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F669 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226594 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F669 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226593 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226592 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226591 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226590 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F64D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226589 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F64D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226588 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F64D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226587 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226586 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226585 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226584 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD96 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226583 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD96 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226582 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226581 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226580 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226579 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226578 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD39 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226577 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226576 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226575 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226574 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226573 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226572 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD1D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226571 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226570 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226569 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ECCEB09D-0145-A236-D1B4-FE2EA8703EB1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226568 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226567 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D836 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226566 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C3FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226680 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3786 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226679 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3786 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226678 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226677 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226676 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226675 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3702 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226674 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3702 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226673 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226672 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226671 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226670 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA34B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226669 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA34B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226668 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226667 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226666 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226665 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C12F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226664 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA347E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226663 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DD39 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226662 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F669 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226661 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA03F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226660 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C37A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226659 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1DBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226658 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA347E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226657 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA347E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226656 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226655 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226654 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226653 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3462 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226652 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3462 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226651 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3462 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226650 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226649 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226648 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226647 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1E24 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226646 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1E24 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226645 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1E24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226644 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226643 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226642 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226641 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1DBE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226640 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1DBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226639 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226638 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226637 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226636 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1DA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226635 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1DA2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226634 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1DA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226633 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226632 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {38A9B518-C1B1-7364-6FD0-3C8C9CE06273} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226631 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226630 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1894 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226629 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA0470 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226716 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA57B9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226715 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA57B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226714 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226713 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226712 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA572E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA572E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226709 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226708 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226707 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226706 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA54DF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226705 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA54DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226704 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226703 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226702 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226701 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA34B7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226700 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA54AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226699 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3702 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226698 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA54AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226697 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA54AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226696 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226695 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226694 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226693 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA548E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA548E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA548E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226690 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226689 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226688 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226687 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4BAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226686 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA3786 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226685 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4BAE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226684 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4BAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226683 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226682 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8C4B1153-5297-0C53-9DB1-6688FB51DEC0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226681 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226739 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA7178 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226738 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA7178 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226737 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226736 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226735 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226734 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA70F5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226733 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA70F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226732 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226731 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226730 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226729 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA70D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226728 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA70D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226727 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA70D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226726 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226725 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226724 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226723 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6BD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226722 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA57B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226721 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6BD0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226720 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6BD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226719 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226718 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7082C5F0-7894-B667-9751-A848B8E8B04B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226717 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226784 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAAC5E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226783 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAAC5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226782 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226781 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226780 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA9822 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226778 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA9822 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226777 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226776 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226775 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226774 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA97AB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226773 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA97AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226772 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226771 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226770 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226769 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA978F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226768 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA978F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226767 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA978F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226766 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226765 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226764 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226763 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8AFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226762 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8A87 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226761 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8AFA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226760 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8AFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226759 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226758 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226757 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226756 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8A87 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226755 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8A87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226754 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226753 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226752 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226751 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8A19 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226750 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8A19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226749 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226748 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226747 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226746 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA89FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226745 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA89FD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226744 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA89FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226743 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226742 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {80D9E0AE-140F-17A5-A07F-8CEE9397DA91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226741 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226740 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA7178 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226841 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADF7E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226840 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADF7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226839 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226838 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226837 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226836 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xACB52 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226835 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xACB52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226834 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226833 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226832 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226831 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xACAD8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226830 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xACAD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226829 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226828 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226827 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226826 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC88C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226825 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC88C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226824 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226823 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226822 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226821 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA54DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226820 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC851 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226819 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA572E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226818 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB172 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226817 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA97AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226816 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA70F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226815 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8A19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC851 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC851 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226811 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226810 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226809 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC835 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226808 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC835 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226807 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC835 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226806 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226805 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226804 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226803 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB1D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226802 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB1D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226801 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB1D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226800 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226799 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226798 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226797 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB172 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226796 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB172 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226795 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226794 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226793 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226792 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB156 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226791 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB156 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226790 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAB156 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226789 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226788 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14107378-AE22-C7CD-4ACB-0CBF82A9B231} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226787 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226786 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAAC5E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226785 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA9822 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226883 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAFFE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226882 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAFFE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226881 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226880 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226879 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226878 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAEBC8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226877 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAEBC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226876 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226875 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226874 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226873 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAEB3C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226872 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAEB3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226871 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226870 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226869 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226868 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226867 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226866 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226865 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226864 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226863 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC88C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226862 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226861 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xACAD8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226860 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8BC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226859 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226858 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226857 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226856 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226855 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226854 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8A0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226853 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226852 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226851 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226850 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226849 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE82F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226848 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADF7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226847 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xACB52 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226846 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE82F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226845 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE82F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226844 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226843 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {95126AF1-F021-562E-722C-E2228416F7B5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226842 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1F0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226922 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1F0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226921 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226920 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226919 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226918 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E95 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226917 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226916 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226915 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226914 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226913 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E22 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226912 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226911 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226910 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226909 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226908 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E06 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226907 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E06 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226906 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226905 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226904 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226903 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB056A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226901 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB056A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226900 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB056A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226899 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226898 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226897 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226896 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB0504 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226895 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB0504 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226894 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226893 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226892 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226891 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB04E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226890 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB04E8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226889 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB04E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226888 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226887 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {32DA938E-DC8B-2277-7532-93A239ECA788} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226886 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226885 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAFFE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226884 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAEBC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226964 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB45E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226963 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB45E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226962 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226961 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226960 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226959 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4582 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226958 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4582 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226957 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226956 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226955 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226954 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4566 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226953 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4566 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4566 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226951 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226950 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226949 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226948 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4055 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226947 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2C2C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226946 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4055 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226945 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4055 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226944 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226943 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226942 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226941 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2C2C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226940 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2C2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226939 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226938 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226937 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226936 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2BB5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226935 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2BB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226934 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226933 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226932 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226931 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2B99 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226930 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2B99 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226929 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2B99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226928 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226927 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DF4B6F82-64A8-FDFE-A7FA-B5BE1631B1A1} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226926 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226925 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1F0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226924 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E95 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227003 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB738F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227002 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB738F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227001 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227000 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226999 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226998 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5F69 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226997 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5F69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226996 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226995 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226994 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226993 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5EC7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226992 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5EC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226991 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226990 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226989 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226988 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C7C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226987 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226986 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226985 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226984 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226983 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE8F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226982 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226981 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1E22 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226980 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAEB3C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226979 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB2BB5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226978 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4582 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226977 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB0504 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226976 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226975 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226974 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226973 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226972 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226971 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=226970 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C2B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226969 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=226968 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=226967 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5B105020-4827-8D40-2F32-48E9F8A05667} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=226966 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=226965 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB45E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227008 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB7BE2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227007 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB7BE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {14710929-AC6D-1CDA-93FC-76BCA6C60C64} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227006 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {14710929-AC6D-1CDA-93FC-76BCA6C60C64} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227005 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {14710929-AC6D-1CDA-93FC-76BCA6C60C64} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227004 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227045 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBA77D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227044 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBA77D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227043 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227042 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227041 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227040 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9326 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227039 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9326 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227038 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227037 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227036 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227035 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB929B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227034 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB929B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227033 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227032 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227031 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227030 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9050 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227029 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9050 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227028 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227027 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227026 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227025 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5C7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227024 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB901B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227023 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5EC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227022 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB901B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227021 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB901B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227020 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227019 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227018 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227017 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8FFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227016 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8FFF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227015 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8FFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227014 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227013 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC7BB0AE-29B0-3707-9A41-030F234C7832} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227012 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227011 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB7BE2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227010 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB738F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227009 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB5F69 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227050 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAFD5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227049 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAFD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D8FF4A76-7796-16FC-10C7-EE973E02B0A5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227048 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D8FF4A76-7796-16FC-10C7-EE973E02B0A5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227047 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D8FF4A76-7796-16FC-10C7-EE973E02B0A5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227046 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227087 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBE844 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227086 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBE844 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227085 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227084 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227083 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227082 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD3ED Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227081 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD3ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227080 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227079 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227078 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227077 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD36C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227076 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD36C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227075 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227074 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227073 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227072 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD071 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227071 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD071 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227070 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227069 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227068 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227067 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9050 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227066 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD012 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227065 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB929B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227064 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD012 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227063 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD012 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227062 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227061 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227060 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227059 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBCFEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227058 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBCFEE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227057 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBCFEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227056 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227055 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {368A0401-56E2-07D7-45A2-15BB3B42FD15} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227054 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227053 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAFD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227052 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBA77D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227051 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9326 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227133 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0A3A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227132 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0A3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227131 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227130 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227129 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227128 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC09C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227127 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC09C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227126 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227125 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227124 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227123 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0958 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227122 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0958 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227121 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227120 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227119 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227118 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC093C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227117 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC093C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227116 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC093C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227115 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227114 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227113 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227112 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBF061 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227111 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBF061 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227110 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBF061 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227109 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227108 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227107 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227106 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEFF3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227105 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEFF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227104 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227103 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227102 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227101 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEFD7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227100 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEFD7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227099 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEFD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227098 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227097 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227096 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227095 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEF58 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227094 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBE844 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227093 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD3ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227092 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEF58 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227091 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEF58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227090 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227089 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE7FB174-A25A-3D02-FE86-578280EEF47C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227088 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227174 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC3160 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227173 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC3160 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227172 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227171 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227170 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227169 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC30FF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227168 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC30FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227167 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227166 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227165 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227164 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC30E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227163 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC30E3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227162 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC30E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227161 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227160 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227159 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227158 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC2B7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227157 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC175A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227156 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC2B7E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227155 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC2B7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227154 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227153 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227152 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227151 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC175A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227150 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC175A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227149 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227148 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227147 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227146 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC16E6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227145 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC16E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227144 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227143 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227142 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227141 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC16CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227140 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC16CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227139 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC16CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227138 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227137 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A185171-A7AC-3B5B-4FE1-F54EFD997ABE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227136 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227135 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0A3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227134 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC09C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227213 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5F1B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227212 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5F1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227211 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227210 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227209 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227208 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ADB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227207 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ADB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227206 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227205 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227204 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227203 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4A51 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227202 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4A51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227201 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227200 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227199 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227198 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4806 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227197 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4806 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227196 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227195 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227194 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227193 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD071 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227192 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC47D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227191 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC30FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227190 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD36C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227189 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEFF3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227188 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0958 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227187 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC16E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227186 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC47D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227185 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC47D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227184 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227183 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227182 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227181 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC47B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227180 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC47B5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227179 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC47B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227178 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227177 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {533CB8EA-BBFC-D9D8-141C-89DC8B104E17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227176 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:07:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227175 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC3160 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227218 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC6C76 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227217 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC6C76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {128412C3-D008-566C-FA11-7CB4CE0DADB7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227216 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {128412C3-D008-566C-FA11-7CB4CE0DADB7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227215 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {128412C3-D008-566C-FA11-7CB4CE0DADB7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227214 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227255 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCB264 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227254 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCB264 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227253 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227252 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227251 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227250 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9E2A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227249 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9E2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227248 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227247 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227246 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227245 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9D9F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227244 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9D9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227243 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227242 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227241 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227240 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B54 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227239 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B54 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227238 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227237 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227236 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227235 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4806 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227234 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227233 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4A51 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227232 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B1F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227231 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227230 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227229 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227228 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227227 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B03 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227226 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B03 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227225 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227224 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227223 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {959D47E0-0DDE-75BF-FB80-04D1D7814BEB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227222 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227221 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC6C76 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227220 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5F1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227219 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ADB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227260 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCBAB7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227259 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCBAB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E421278C-4492-5C73-5659-C6A3BF50B303} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227258 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E421278C-4492-5C73-5659-C6A3BF50B303} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227257 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E421278C-4492-5C73-5659-C6A3BF50B303} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227256 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227314 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6009 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227313 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6009 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227312 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227311 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227310 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227309 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4BE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227308 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4BE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227307 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227306 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227305 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227304 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4B5D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227303 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4B5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227302 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227301 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227300 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227299 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4B41 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227298 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4B41 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227297 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4B41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227296 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227295 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227294 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227293 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3111 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227292 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3111 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227291 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3111 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227290 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227289 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227288 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227287 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3085 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227286 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3085 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227285 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227284 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227283 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227282 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2E3A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227281 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2E3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227280 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227279 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227278 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227277 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9B54 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227276 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2E05 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227275 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9D9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227274 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2E05 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227273 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2E05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227272 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227271 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227270 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227269 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2DE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227268 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2DE1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227267 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2DE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227266 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227265 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F7BB169F-0299-F3EF-ED77-944651ED339E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227264 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227263 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCBAB7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCB264 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227261 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC9E2A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227324 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2175C9DE-9FDF-8179-5C43-B0A0BF41BC59} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227323 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227322 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD68B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227321 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6009 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227320 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4BE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227319 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD68B3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227318 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD68B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2175C9DE-9FDF-8179-5C43-B0A0BF41BC59} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227317 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2175C9DE-9FDF-8179-5C43-B0A0BF41BC59} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227316 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2175C9DE-9FDF-8179-5C43-B0A0BF41BC59} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227315 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227366 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD940A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227365 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD940A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227364 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227363 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227362 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227361 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7EA1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227360 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7EA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227359 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227358 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227357 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227356 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E30 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227355 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227354 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227353 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227352 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227351 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E14 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E14 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227348 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227347 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227346 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227345 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7180 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227344 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7100 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227343 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7180 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227342 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7180 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227341 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227340 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227339 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227338 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7100 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227337 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7100 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227336 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227335 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227334 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227333 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD709B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD709B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227331 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227330 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {738B5D86-8712-3B9D-9695-741E4B4F609A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227329 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227328 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD707F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227327 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD707F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227326 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD707F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2175C9DE-9FDF-8179-5C43-B0A0BF41BC59} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227325 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2175C9DE-9FDF-8179-5C43-B0A0BF41BC59} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227423 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDC9B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227422 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDC9B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227421 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227420 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227419 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227418 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB470 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227417 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB470 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227416 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227415 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227414 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227413 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB3D7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227412 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB3D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227411 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227410 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227409 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227408 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB18C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227407 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB18C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227406 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227405 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227404 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227403 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2E3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227402 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB157 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227401 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9A7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227400 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E30 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227399 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4B5D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227398 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3085 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227397 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD709B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227396 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB157 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227395 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB157 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227394 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227393 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227392 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227391 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB13B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227390 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB13B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227389 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB13B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227388 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227387 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227386 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227385 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9AE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227384 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9AE4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227383 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9AE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227382 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227381 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227380 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227379 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9A7F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227378 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9A7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227377 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227376 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227375 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227374 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9A63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227373 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9A63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227372 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD9A63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227371 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227370 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CF61CFCD-2928-781F-AACF-B4B0F8578A6E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227369 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227368 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD940A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227367 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7EA1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227449 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD995 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227448 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDD995 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51090 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227447 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD995 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227446 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD92B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227445 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDD92B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51089 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227444 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD92B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227443 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD899 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227441 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDD899 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51088 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227440 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD899 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227439 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD85C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227437 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDD85C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51087 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227436 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD85C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=227435 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x30406 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-1796611.attackrange.local/attackrange.local ldap/win-dc-1796611.attackrange.local ldap/WIN-DC-1796611 ldap/win-dc-1796611.attackrange.local/ATTACKRANGE ldap/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local ldap/WIN-DC-1796611/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/56b2badd-17fa-404a-9152-594780d23fa4/attackrange.local HOST/win-dc-1796611.attackrange.local/attackrange.local HOST/win-dc-1796611.attackrange.local HOST/WIN-DC-1796611 HOST/win-dc-1796611.attackrange.local/ATTACKRANGE HOST/WIN-DC-1796611/ATTACKRANGE RPC/56b2badd-17fa-404a-9152-594780d23fa4._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-1796611 RestrictedKrbHost/win-dc-1796611.attackrange.local GC/win-dc-1796611.attackrange.local/attackrange.local DNS/win-dc-1796611.attackrange.local ldap/win-dc-1796611.attackrange.local/DomainDnsZones.attackrange.local ldap/win-dc-1796611.attackrange.local/ForestDnsZones.attackrange.local TERMSRV/win-dc-1796611.attackrange.local TERMSRV/WIN-DC-1796611 Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/win-dc-1796611.attackrange.local Additional Information: Privileges: - 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDD7A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49697 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227432 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDD7A7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227431 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDD00A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227430 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDD00A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDD4322C-7D0B-FE37-D94E-ECFE6991A80B} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227429 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FDD4322C-7D0B-FE37-D94E-ECFE6991A80B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227428 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FDD4322C-7D0B-FE37-D94E-ECFE6991A80B} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227427 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227426 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDCE43 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227425 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDCE43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 51085 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227424 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDCE43 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2676 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2676 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227497 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227496 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227495 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227494 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDFF04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51094 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDFF04 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227492 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDFA2F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227491 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDFA2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51092 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDFA2F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227489 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDF9A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227488 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xDF9A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51091 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227487 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xDF9A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227486 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDF4EF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227485 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDF4EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227484 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227483 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227482 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227481 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE0CD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227480 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE0CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227479 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227478 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227477 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227476 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE040 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227475 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE040 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227474 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227473 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227472 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227471 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD82 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227470 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227469 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227468 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227467 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227466 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB18C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227465 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227464 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB3D7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227463 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227462 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227461 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227460 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227459 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227458 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227457 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD23 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227456 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDDD23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227455 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227454 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BBB73ABC-EF75-6139-B4E8-4EF0A5499BC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227453 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227452 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDD00A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227451 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDC9B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227450 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDB470 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227530 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE695B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE695B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227528 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227527 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227526 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227525 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE68A5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227524 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE68A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227523 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227522 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227521 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227520 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6530 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227519 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6530 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227518 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227517 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227516 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227515 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6304 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227514 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE040 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6304 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6304 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227511 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227510 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227509 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227508 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6209 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227507 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6209 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227506 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6209 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227505 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227504 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {74F26357-BED2-02B8-9EDF-FFD8AB5F347D} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227503 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227502 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2676 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227501 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDF4EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227500 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE0CD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227552 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9CCF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227551 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9CCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227550 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227549 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227548 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227547 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE880B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227546 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE880B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227545 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227544 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227543 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227542 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE875B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227541 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE875B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227540 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227539 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227538 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227537 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE86EB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE86EB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE86EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227534 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227533 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3419044A-21E9-F216-64B4-DA39A03ACBC4} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227532 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227531 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE695B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227599 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB92A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227598 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB92A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227597 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227596 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227595 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227594 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB8B3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227593 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB8B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227592 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227591 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227590 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227589 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB897 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227588 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB897 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227587 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB897 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227586 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227585 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227584 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227583 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEABED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227582 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAB7A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227581 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEABED Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227580 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEABED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227579 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227578 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227577 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227576 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAB7A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227575 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAB7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227574 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227573 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227572 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227571 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAB0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227570 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAB0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227569 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227568 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227567 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227566 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAAF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227565 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAAF0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227564 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAAF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227563 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227562 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227561 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227560 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEA464 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227559 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9CCF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227558 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE880B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227557 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEA464 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227556 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEA464 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227555 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227554 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B459D5F3-46F0-00FC-FD81-56A8EF0E8028} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227553 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227624 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED37A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227623 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED37A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227622 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227621 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227620 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227619 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED30A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227618 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED30A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227617 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227616 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227615 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227614 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED2EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227613 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED2EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227612 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED2EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227611 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227610 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227609 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227608 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xECDF4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB92A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227606 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xECDF4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227605 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xECDF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227604 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227603 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {12792651-4041-F9A6-AE64-F848FE232A08} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227602 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227601 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xECD0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD35A0F2-7BED-96F5-8295-972463FE0B30} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51097 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227600 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xECD0F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227668 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF073D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227667 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF073D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227666 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227665 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227664 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227663 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0121 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227662 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0121 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227661 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227660 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227659 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227658 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEECFD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227657 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEECFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227656 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227655 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227654 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227653 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEEC72 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227652 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEEC72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227651 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227650 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227649 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEEA23 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEEA23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227646 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227645 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227644 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227643 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6530 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227642 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE9EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227641 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB8B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227640 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE875B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227639 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEAB0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227638 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE68A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227637 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED30A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227636 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE9EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE9EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227634 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227633 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227632 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227631 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE9D2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227630 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE9D2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227629 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE9D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227628 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227627 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1A3F224-8AD0-35B0-9C6C-68BDF70EF854} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227626 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227625 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED37A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227716 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF1E7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227715 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF1FD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF2035 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227713 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF2947 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51100 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227712 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF2947 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF289F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF289F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227709 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227708 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227707 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227706 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF2035 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 51099 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227705 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF2035 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227704 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF1FD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D830101F-5339-028B-94B2-11EB21EF7750} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227703 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF1FD6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227702 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF1E7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F59142DA-B4B9-5F20-6B78-B0C3B5C1CA11} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 51098 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227701 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF1E7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227700 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF1297 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227699 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF1297 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227698 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227697 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227696 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227695 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF120A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227694 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF120A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227693 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227692 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227691 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227690 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0FBF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0FBF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227688 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227687 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227686 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227685 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEEA23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227684 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0F8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227683 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEEC72 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0F8A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0F8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227680 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227679 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227678 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227677 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0F6E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227676 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0F6E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227675 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0F6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227674 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227673 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3DA18F29-1432-F232-011C-2DA3513CC69A} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227672 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227671 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF073D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227670 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0121 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227669 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEECFD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227721 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF33D9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227720 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF33D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF526C6A-C476-3835-1B62-3B07DF525045} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227719 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EF526C6A-C476-3835-1B62-3B07DF525045} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227718 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EF526C6A-C476-3835-1B62-3B07DF525045} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227717 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227760 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF7E5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227759 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF7E5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227758 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227757 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227756 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227755 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF617A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227754 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF617A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227753 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227752 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227751 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227750 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF60F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227749 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF60F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227748 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227747 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227746 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227745 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF5E99 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227744 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF5E99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227743 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227742 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227741 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227740 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227739 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227738 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0FBF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227737 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF588B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227736 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF120A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227735 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF588B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227734 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF588B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227733 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227732 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227731 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227730 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF586F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227729 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF586F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227728 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF586F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227727 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227726 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {63D03EE9-14E8-DBBD-1FF5-2727E62C83D9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227725 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227724 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF33D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227723 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF289F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227722 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF1297 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227789 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFF9A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227788 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFF9A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227787 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227786 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227785 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227784 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE571 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227783 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE571 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227782 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227781 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227780 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE4F5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227778 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE4F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227777 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227776 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227775 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227774 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE4D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227773 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE4D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227772 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE4D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227771 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227770 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227769 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227768 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE353 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227767 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF7E5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227766 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF617A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227765 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE353 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227764 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE353 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227763 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227762 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2B5E8260-6F8A-B59F-71EB-6F1E072DC4FB} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227761 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227826 Keywords=None Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: Administrator ATTACKRANGE SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227825 Keywords=None Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: WIN-DC-1796611$ ATTACKRANGE Administrator ATTACKRANGE Advapi Negotiate WIN-DC-1796611 - - C:\Windows\System32\svchost.exe - - %%1833 - - - %%1843 %%1842 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227824 Keywords=None Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: WIN-DC-1796611$ ATTACKRANGE Administrator ATTACKRANGE localhost localhost C:\Windows\System32\svchost.exe - - 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227823 Keywords=None Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227822 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227821 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10061B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227820 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10061B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227819 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227818 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227817 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227816 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100584 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227815 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100584 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227814 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227813 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227812 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227811 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100339 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227810 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100339 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227809 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227808 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227807 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227806 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF5E99 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227805 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100304 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227804 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF60F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227803 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE4F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227802 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100304 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227801 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100304 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227800 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227799 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227798 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227797 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1002E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227796 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1002E4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227795 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1002E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227794 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227793 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {920F94CA-D74F-91AE-3271-6BB04DFE5AA5} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227792 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227791 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFF9A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227790 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE571 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227868 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1041E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227867 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1041E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227866 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227865 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227864 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227863 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102DB6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227862 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102DB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227861 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227860 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227859 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227858 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102D28 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227857 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102D28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227856 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227855 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227854 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102ADD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102ADD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227850 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227849 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227848 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100339 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227847 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102AA8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227846 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100584 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227845 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102AA8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227844 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102AA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227843 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227842 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227841 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227840 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102A8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227839 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102A8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227838 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102A8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227837 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227836 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227835 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227834 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1021E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227833 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x101A43 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227832 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10061B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227831 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1021E1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227830 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1021E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {419D7229-1ADB-D7B8-2DA9-B7DBC9FE8A88} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227829 Keywords=None Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: WIN-DC-1796611$ ATTACKRANGE Administrator ATTACKRANGE localhost localhost C:\Windows\System32\svchost.exe - - 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227828 Keywords=None Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: Administrator@ATTACKRANGE.LOCAL ATTACKRANGE.LOCAL WIN-DC-1796611$ ::1 0 - 10/09/2020 09:08:30 AM LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227827 Keywords=None Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: Administrator ATTACKRANGE krbtgt 2 ::1 0 10/09/2020 09:08:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227873 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104975 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227872 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104975 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {67220B4D-3585-C560-710E-E6BEF0AF8F61} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227871 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {67220B4D-3585-C560-710E-E6BEF0AF8F61} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227870 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {67220B4D-3585-C560-710E-E6BEF0AF8F61} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227869 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227910 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10685B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227909 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10685B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227908 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227907 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227906 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227905 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10539A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227904 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10539A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227903 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227902 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227901 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227900 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10530C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10530C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227898 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227897 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227896 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227895 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1050A3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227894 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1050A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227893 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227892 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227891 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227890 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102ADD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227889 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x105018 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227888 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102D28 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227887 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x105018 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227886 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x105018 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227885 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227884 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227883 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227882 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104FF6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227881 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104FF6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227880 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104FF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227879 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227878 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {06DF7E50-AFB4-1AFF-23D4-AEA188754555} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227877 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227876 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104975 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227875 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1041E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227874 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102DB6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227952 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1084F8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227951 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1084F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227950 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227949 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227948 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227947 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1070CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227946 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1070CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227945 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227944 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227943 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227942 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x107044 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227941 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x107044 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227940 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227939 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227938 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227937 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DF9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227936 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227935 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227934 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227933 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227932 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1050A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227931 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DC4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227930 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10530C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227929 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DC4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227928 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227927 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227926 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227925 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227924 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DA8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DA8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227922 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227921 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227920 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227919 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227918 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106D39 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227917 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10685B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227916 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10539A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227915 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106D39 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227914 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106D39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227913 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227912 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FC97AD5D-16B4-E880-B5A4-C3736BC1B3A0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227911 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228005 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10BB61 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228004 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10BB61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228003 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228002 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228001 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228000 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A72E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227999 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A72E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227998 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227997 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227996 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227995 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A6A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227994 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A6A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227993 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227992 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227991 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227990 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A67D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227989 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A67D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227988 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A67D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227987 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227986 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227985 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227984 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108DD8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227983 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108DD8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227982 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108DD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227981 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227980 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227979 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227978 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108D62 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227977 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108D62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227976 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227975 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227974 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227973 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108B13 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227972 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108B13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227971 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227970 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227969 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227968 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106DF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227967 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108ADE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227966 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x107044 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227965 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108ADE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227964 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108ADE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227963 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227962 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227961 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227960 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108AC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=227959 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108AC2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227958 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108AC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=227957 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=227956 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83372B8B-7EF5-64E1-A054-C58BCA1569BF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=227955 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227954 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1084F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=227953 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1070CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228034 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D43E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228033 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D43E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228032 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228031 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228030 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228029 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10CA31 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228028 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10CA31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228027 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228026 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228025 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228024 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C9AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228023 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C9AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228022 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228021 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228020 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228019 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C991 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228018 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C991 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228017 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C991 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228016 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228015 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228014 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228013 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228012 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10BB61 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228011 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A72E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228010 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2E4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228009 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228008 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228007 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9949A0B2-7BD1-8E61-902D-056603C97DEE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228006 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228076 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F19D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228075 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F19D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228074 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228073 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228072 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228071 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F119 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228070 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F119 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228069 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228068 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228067 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228066 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F0FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228065 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F0FD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228064 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F0FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228063 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228062 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228061 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228060 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10EBDB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228059 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D7B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228058 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0xF2947 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228057 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10EBDB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228056 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10EBDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228055 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228054 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228053 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228052 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D7B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228051 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D7B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228050 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228049 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228048 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228047 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D73B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228046 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D73B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228045 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228044 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228043 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228042 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D71F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228041 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D71F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228040 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D71F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228039 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228038 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B05C682E-539D-25FF-F223-7082C86835E7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228037 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228036 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D43E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228035 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10CA31 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228115 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111F1D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228114 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111F1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228113 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228112 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228111 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228110 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110B11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228109 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110B11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228108 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228107 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228106 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228105 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110A63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228104 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110A63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228103 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228102 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228101 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228100 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110818 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228099 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110818 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228098 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228097 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228096 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228095 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108B13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228094 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1107E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228093 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C9AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228092 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F119 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228091 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10D73B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228090 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108D62 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228089 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A6A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228088 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1107E3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228087 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1107E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228086 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228085 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228084 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228083 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1107C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228082 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1107C7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228081 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1107C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228080 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228079 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5EF44ABD-3CD0-D638-932C-98499CE7EA27} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228078 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228077 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10F19D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228120 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x112788 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228119 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x112788 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {36C85450-2992-E470-BF0E-1C2379BEC330} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228118 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {36C85450-2992-E470-BF0E-1C2379BEC330} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228117 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {36C85450-2992-E470-BF0E-1C2379BEC330} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228116 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228152 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115D74 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228151 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115D74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228150 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228149 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228148 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228147 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115C7E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228146 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115C7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228145 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228144 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228143 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228142 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1159B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228141 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1159B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228140 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228139 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228138 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228137 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110818 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228136 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115969 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228135 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110A63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228134 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115969 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228133 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115969 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228132 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228131 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228130 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228129 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115947 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228128 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115947 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228127 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115947 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228126 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228125 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {49BEFBC2-5ABB-79E2-4CA6-47D7D492D9A8} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228124 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228123 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x112788 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228122 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111F1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228121 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x110B11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228162 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x117E4B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228161 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x117E4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D8CB662-69D2-E9F5-B8C7-77EF9D6E2CD2} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228160 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D8CB662-69D2-E9F5-B8C7-77EF9D6E2CD2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228159 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D8CB662-69D2-E9F5-B8C7-77EF9D6E2CD2} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228158 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228157 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1174E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228156 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1174E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D8CB662-69D2-E9F5-B8C7-77EF9D6E2CD2} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228155 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D8CB662-69D2-E9F5-B8C7-77EF9D6E2CD2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228154 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D8CB662-69D2-E9F5-B8C7-77EF9D6E2CD2} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228153 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228199 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11A52C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228198 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11A52C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228197 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228196 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228195 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228194 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118DC9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228193 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118DC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228192 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228191 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228190 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228189 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118CD0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228188 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118CD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228187 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228186 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228185 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228184 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118A03 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228183 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118A03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228182 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228181 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228180 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228179 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1159B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228178 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1185AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228177 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115C7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228176 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1185AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228175 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1185AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228174 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228173 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228172 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228171 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11854B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228170 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11854B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228169 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11854B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228168 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228167 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C85544FE-A778-B93C-29A0-17144D8C53B0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228166 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228165 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x117E4B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228164 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1174E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228163 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x115D74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228241 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CCD7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228240 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CCD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228239 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228238 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228237 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228236 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B567 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228235 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B567 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228234 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228233 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228232 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228231 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B471 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228230 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B471 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228229 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228228 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228227 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228226 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B195 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228225 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B195 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228224 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228223 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228222 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228221 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118A03 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228220 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B152 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228219 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118CD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228218 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B152 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228217 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B152 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228216 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228215 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228214 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228213 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B130 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228212 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B130 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228211 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B130 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228210 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228209 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228208 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228207 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11AF86 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228206 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11A52C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228205 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118DC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228204 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11AF86 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228203 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11AF86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228202 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228201 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {02FFC035-A2A2-D7DD-E763-15F913C04D1E} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228200 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228278 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11E12B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228277 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11E12B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228276 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228275 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228274 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228273 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11E040 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228272 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11E040 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228271 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228270 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228269 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228268 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD7A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228267 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228266 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228265 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228264 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228263 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B195 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228261 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B471 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228260 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD3B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228259 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228258 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228257 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228256 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228255 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228254 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD19 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228253 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DD19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228252 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228251 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228250 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228249 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DB3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228248 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CCD7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228247 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B567 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228246 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DB3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228245 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DB3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228244 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228243 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {69F931D5-83A0-5AFE-26A7-A134DA6561AA} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228242 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228323 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x121FF8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228322 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x121FF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228321 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228320 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228319 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228318 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120FDC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228317 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120FDC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228316 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120FDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228315 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228314 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228313 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120EEB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120EEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228310 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228309 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228308 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228307 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120C1F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228306 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120C1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228305 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228304 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228303 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228302 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120BEB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120BEB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x120BEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228299 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228298 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228297 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228296 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F21E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F21E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228294 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F21E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228293 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228292 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228291 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F13E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F13E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228288 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228287 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228286 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228285 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F11C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F11C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228283 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11F11C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228282 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228281 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD571F76-F458-2967-349D-BB1227A46614} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228280 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228279 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11E12B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=228347 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4c0 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎10‎-‎09T09:08:46.892070000Z New Time: ‎2020‎-‎10‎-‎09T09:08:46.877000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228346 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x123748 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228345 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x123748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228344 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228343 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228342 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228341 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x12255E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228340 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x12255E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228339 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x12255E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228338 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228337 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228336 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228335 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x122438 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228334 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x122438 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228333 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228332 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228331 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228330 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x122106 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228329 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x122106 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228328 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228327 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {690BB66D-3B06-01D6-0DB8-3B5559FA14D7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228326 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228325 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x121FF8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:08:46 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Service shutdown OpCode=Info RecordNumber=228324 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 09:09:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228352 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228351 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228350 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228349 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=228348 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228361 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x602E 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228360 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=228359 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228358 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x364 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228357 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228356 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228355 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228354 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228353 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:09:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228363 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228362 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228379 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228378 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228377 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228376 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228375 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB44E Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228374 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB49E Linked Logon ID: 0xB44E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228373 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB44E Linked Logon ID: 0xB49E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228372 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228371 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228370 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228369 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228368 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228367 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228366 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228365 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:09:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228364 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228381 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:09:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228380 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:09:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228383 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228382 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228387 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228386 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228385 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\lsass.exe 10/09/2020 09:09:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228384 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\lsass.exe 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228404 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228403 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228402 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228401 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228400 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228399 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228398 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2BB6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228397 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228396 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228395 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228394 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228393 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228392 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228391 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228390 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228389 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228388 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228408 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E86D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228407 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E86D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228406 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:09:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228405 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:09:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228412 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x42A7E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228411 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x42A7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228410 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:09:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228409 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228427 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x43033 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49695 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228426 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x43033 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228425 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {25995C9B-4FD0-D5B2-C131-EFFA266EDADD} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228424 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x42DA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49694 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228423 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x42DA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49693 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228422 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x42DA7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228421 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x42DA6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228420 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {25995C9B-4FD0-D5B2-C131-EFFA266EDADD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228419 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {25995C9B-4FD0-D5B2-C131-EFFA266EDADD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228418 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228417 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228416 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x42B9D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228415 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x42B9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228414 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:09:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228413 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:09:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228433 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x45971 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:09:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228432 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x45971 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F1983076-FB32-267F-89D0-2318C5C307DC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 49699 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:09:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228431 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x45971 Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 10/09/2020 09:09:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228430 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9B3A527A-89BC-A078-D7C0-2461EFC4A594} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:09:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228429 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-1796611$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-DC-1796611$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:09:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228428 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228456 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A4A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228455 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A702 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228454 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A702 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228453 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A702 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228452 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A5C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228451 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A610 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228450 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A610 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56373 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228449 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A610 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228448 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A5C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228447 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A5C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228446 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6EAA3CD5-0860-8596-2C7F-B5EF87C6DADF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228445 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A4A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56372 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228444 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A4A7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228443 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A3D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56371 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228442 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A3D7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228441 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6EAA3CD5-0860-8596-2C7F-B5EF87C6DADF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A2F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A2F5 Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228438 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6EAA3CD5-0860-8596-2C7F-B5EF87C6DADF} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228437 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6EAA3CD5-0860-8596-2C7F-B5EF87C6DADF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228436 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4A2B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 49698 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228435 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A2B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228434 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-1796611$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6EAA3CD5-0860-8596-2C7F-B5EF87C6DADF} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228458 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4B735 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56375 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228457 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4B735 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228476 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4BBB9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228475 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4BBB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228474 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228473 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228472 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228471 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4BAD2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228470 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4BAD2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228469 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228468 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228467 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228466 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B807 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228465 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B807 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228464 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228463 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1AA34C07-3DC1-7354-8178-A45E21D59163} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228462 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228461 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x42A7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228513 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CCF3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228512 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DE23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228511 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CFDE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228510 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DE23 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228509 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DE23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228508 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228507 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228506 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228505 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DE01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228504 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DE01 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228503 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DE01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228502 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228501 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228500 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4D0AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228498 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4D0AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228497 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4D0AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228496 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228495 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228494 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CFDE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CFDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228491 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228490 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228489 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CCF3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228487 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CCF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228486 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228485 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228484 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228483 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CCBF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228482 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CCBF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228481 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4CCBF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228480 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228479 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDBEFAC3-25EA-8A98-8A93-323E11D846F7} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228478 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228477 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4BBB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228534 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A2B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228533 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FC0A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228532 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FC0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228531 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228530 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228529 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228528 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E47C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228527 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E47C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228526 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228525 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228524 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228523 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E395 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228522 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E395 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228521 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228520 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228519 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228518 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E0B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228517 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E0B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228516 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228515 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {068F0E05-780B-AB34-382B-B659CE2E7C82} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228514 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228539 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50183 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228538 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50183 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEFDC986-6437-CBBA-A06D-EB3AD620DB17} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228537 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CEFDC986-6437-CBBA-A06D-EB3AD620DB17} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228536 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CEFDC986-6437-CBBA-A06D-EB3AD620DB17} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228535 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228540 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E0B1 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x102c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228571 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5674A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228570 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5674A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228569 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228568 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228567 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228566 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5665D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228565 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5665D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228564 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228563 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228562 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228561 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5639D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228560 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5639D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228559 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228558 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228557 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228556 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5635A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228555 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E395 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228554 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5635A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228553 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5635A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228552 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228551 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228550 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228549 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x56338 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228548 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x56338 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228547 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x56338 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228546 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228545 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5BD780A3-0A0A-DD7B-BA23-2F89819D72B9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228544 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228543 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x50183 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228542 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4FC0A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228541 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4E47C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228581 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5860C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228580 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5860C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E4848810-5F81-94AC-736E-D6A6F3A02E00} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228579 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E4848810-5F81-94AC-736E-D6A6F3A02E00} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228578 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E4848810-5F81-94AC-736E-D6A6F3A02E00} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228577 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228576 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57EC1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228575 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57EC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E4848810-5F81-94AC-736E-D6A6F3A02E00} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228574 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E4848810-5F81-94AC-736E-D6A6F3A02E00} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228573 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E4848810-5F81-94AC-736E-D6A6F3A02E00} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228572 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228605 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A39E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228604 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A39E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228603 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228602 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228601 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228600 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58C16 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228599 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58C16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228598 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228597 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228596 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228595 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58B3B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228594 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58B3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228593 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228592 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228591 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228590 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58B19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228589 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58B19 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228588 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58B19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228587 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228586 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DB766641-FBD8-F381-E7C2-0A65DA142348} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228585 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228584 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5860C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228583 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57EC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228582 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5674A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5CBB9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5CBB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228646 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228645 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228644 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228643 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B43C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228642 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B43C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228641 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228640 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228639 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228638 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B346 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228637 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B346 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228636 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228635 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228634 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228633 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B076 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228632 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B076 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228631 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228630 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228629 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228628 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5639D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228627 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B035 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228626 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58B3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228625 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5665D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228624 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B035 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228623 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B035 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228622 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228621 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228620 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228619 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B013 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228618 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B013 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228617 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B013 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228616 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228615 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228614 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228613 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AE69 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228612 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5A39E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228611 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58C16 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228610 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AE69 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228609 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AE69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228608 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228607 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {873E8DB8-A542-2915-B8A7-914CA7791044} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228606 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228653 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5D613 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228652 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5D613 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7BF637E6-C136-9DBF-FB52-368A0700ED34} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228651 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7BF637E6-C136-9DBF-FB52-368A0700ED34} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228650 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7BF637E6-C136-9DBF-FB52-368A0700ED34} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228649 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228675 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x604EA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228674 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x604EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228673 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228672 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228671 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228670 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B076 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228669 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x604A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228668 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B346 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228667 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x604A0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228666 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x604A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228665 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228664 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228663 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228662 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6047E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228661 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6047E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228660 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6047E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228659 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228658 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AAD07539-04B7-206A-3286-F35D24CE1B91} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228657 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228656 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5D613 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228655 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5CBB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228654 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B43C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228695 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x62ACB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228694 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x62ACB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228693 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228692 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228691 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228690 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6202C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6202C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228688 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228687 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228686 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228685 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x60897 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228684 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x60897 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228683 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228682 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228681 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228680 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x607AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228679 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x607AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228678 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228677 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {21751758-7375-C9C1-7F57-D37572A4D229} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228676 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228732 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x67F76 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228731 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x67F76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228730 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228729 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228728 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228727 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x667F2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228726 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x667F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228725 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228724 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228723 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228722 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x666EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228721 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x666EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228720 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228719 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228718 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228717 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x66422 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228716 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x66422 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228715 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228714 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228713 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228712 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x604EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228711 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x663DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228710 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x607AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228709 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x663DF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228708 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x663DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228707 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228706 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228705 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228704 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x663BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228703 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x663BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228702 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x663BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228701 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228700 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD1780D-F129-E4AC-20C2-5D039C4353D0} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228699 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228698 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x62ACB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228697 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6202C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228696 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x60897 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228737 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x68A97 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228736 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x68A97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9BEB7465-246F-0F03-7686-9BDEE3DBA391} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228735 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9BEB7465-246F-0F03-7686-9BDEE3DBA391} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228734 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9BEB7465-246F-0F03-7686-9BDEE3DBA391} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228733 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228744 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x72568 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56404 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228743 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x72568 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228742 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x7245B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228741 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x7245B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56403 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228740 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x7245B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228739 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x72414 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56402 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228738 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x72414 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x758A8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x758A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228773 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228772 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228771 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x757BB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228770 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x757BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228769 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228768 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228767 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228766 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x754CF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228765 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x754CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228764 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228763 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228762 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228761 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x66422 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228760 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75371 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228759 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x666EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228758 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75371 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228757 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75371 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228756 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228755 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228754 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228753 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75341 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228752 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75341 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x75341 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228750 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228749 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {45914900-4C49-425B-C54B-FC138B6EDEE9} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228748 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228747 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x68A97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228746 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x67F76 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228745 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x667F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228786 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77D18 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228785 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77D18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC0FCDD-4547-8BEE-45AA-23526F8D460C} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228784 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC0FCDD-4547-8BEE-45AA-23526F8D460C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228783 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC0FCDD-4547-8BEE-45AA-23526F8D460C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228782 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228781 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77159 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228780 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77159 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC0FCDD-4547-8BEE-45AA-23526F8D460C} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228779 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC0FCDD-4547-8BEE-45AA-23526F8D460C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228778 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC0FCDD-4547-8BEE-45AA-23526F8D460C} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228777 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C024 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C024 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228821 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228820 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228819 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228818 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A7C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228817 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A7C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228816 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228815 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228814 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228813 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A6C7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228812 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A6C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228811 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228810 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228809 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228808 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A3E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228807 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228806 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228805 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228804 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228803 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x754CF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228802 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A346 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228801 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x757BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228800 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A346 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228799 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A346 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228798 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228797 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228796 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228795 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A31E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228794 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A31E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228793 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A31E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228792 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228791 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31180E54-1792-C698-BADB-78C5E72215FE} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228790 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77D18 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228788 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x77159 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228787 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x758A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CAD9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228827 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CAD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {657BD737-4989-B5E1-452B-AB70F21CD608} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228826 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {657BD737-4989-B5E1-452B-AB70F21CD608} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228825 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {657BD737-4989-B5E1-452B-AB70F21CD608} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228824 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228846 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A3E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228845 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8034F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A6C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228843 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8034F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228842 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8034F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {84CA2F33-6B2F-85B9-A6AA-C499351025FD} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228841 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {84CA2F33-6B2F-85B9-A6AA-C499351025FD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228840 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {84CA2F33-6B2F-85B9-A6AA-C499351025FD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228839 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228838 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8032D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228837 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8032D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228836 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8032D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {84CA2F33-6B2F-85B9-A6AA-C499351025FD} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228835 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {84CA2F33-6B2F-85B9-A6AA-C499351025FD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228834 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {84CA2F33-6B2F-85B9-A6AA-C499351025FD} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228833 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228832 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7CAD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228831 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C024 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A7C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:56 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1102 EventType=4 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Log clear OpCode=Info RecordNumber=228829 Keywords=Audit Success Message=The audit log was cleared. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Domain Name: ATTACKRANGE Logon ID: 0x7A3E5 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228871 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x829C1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228870 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x829C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228869 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228868 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228867 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228866 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81F3D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228865 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81F3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228864 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228863 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228862 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228861 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x80749 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228860 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x80749 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228859 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228858 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228857 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228856 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8065E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228855 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8065E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228854 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228853 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228852 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228851 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x80392 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228850 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x80392 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228849 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228848 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87F0E2A3-DFD2-2E79-9F0B-F7C49CE90333} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228847 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228888 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x80392 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228887 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85BBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228886 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8065E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228885 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85BBE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228884 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85BBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00381B58-189E-EBE2-3F13-3594F4042894} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228883 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00381B58-189E-EBE2-3F13-3594F4042894} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228882 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {00381B58-189E-EBE2-3F13-3594F4042894} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228881 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228880 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85B9C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228879 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85B9C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228878 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x85B9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00381B58-189E-EBE2-3F13-3594F4042894} Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228877 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00381B58-189E-EBE2-3F13-3594F4042894} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4f0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=228876 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {00381B58-189E-EBE2-3F13-3594F4042894} Service Information: Service Name: WIN-DC-1796611$ Service ID: ATTACKRANGE\WIN-DC-1796611$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=228875 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228874 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x829C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81F3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:10:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228872 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x80749 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:11:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228891 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x908FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:11:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228890 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x908FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56406 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:11:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228889 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x908FB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:11:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228893 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x92EFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56411 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:11:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228892 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x92EFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:12:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228895 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x42DA7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:12:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228894 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A3D7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:12:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228896 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4B735 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:12:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228899 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x93F04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:12:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228898 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x93F04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56423 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:12:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228897 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x93F04 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:13:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228900 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-1796611$ Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x4A2F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:13:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228903 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x95F52 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:13:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228902 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x95F52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56436 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:13:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228901 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x95F52 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228931 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98E11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228930 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x98E11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56461 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228929 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98E11 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228928 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98D66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228927 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x98D66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56460 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228926 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98D66 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228925 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98806 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228924 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x98806 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56459 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98806 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228922 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9879B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228921 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9879B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56458 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228920 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9879B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228919 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa40 Process Name: C:\Windows\System32\dfsrs.exe 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228918 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa40 Process Name: C:\Windows\System32\dfsrs.exe 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228917 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98625 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228916 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x98625 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56456 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228915 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98625 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228914 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x984C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56455 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228913 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x984C4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228912 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9848B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56454 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228911 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9848B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228910 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x98450 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56454 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228909 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x98450 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228908 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x983FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56452 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228907 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x983FE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228906 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9839F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228905 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9839F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56450 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:14:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228904 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9839F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:15:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228933 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x99EFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56465 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:15:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228932 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x99EFF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:15:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228939 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9A432 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56468 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:15:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228938 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A432 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:15:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228937 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9A3E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:15:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228936 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A3E8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:15:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228935 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9A2D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56467 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:15:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A2D9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:15:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228944 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A2D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:15:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228943 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A3E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:15:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228942 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A432 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:15:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228941 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9A4A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {147D98C0-2AA9-43C0-28E5-B399A325054F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::15f7:4ea2:8f9e:67e8 Source Port: 56469 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:15:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228940 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A4A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:15:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228945 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9A4A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:15:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228948 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9B082 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:15:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228947 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9B082 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56478 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:15:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228946 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9B082 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 10/09/2020 09:16:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228949 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x99EFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:16:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228952 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9C8A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 09:16:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228951 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x9C8A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {44B3577B-C4B9-0576-98C2-862C2D9E5BC4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56490 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:16:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228950 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: ATTACKRANGE Logon ID: 0x9C8A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege