11/09/2020 10:48:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227273 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x198 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227272 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:48:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227274 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227275 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227274 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227273 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227272 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:48:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227275 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f0 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227281 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227280 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x204 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227279 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227278 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227277 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x204 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227276 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x204 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227285 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227284 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227283 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x264 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227282 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x264 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227297 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227296 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BBC Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227294 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BAA Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BBC Linked Logon ID: 0x58BAA Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x29c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227292 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BAA Linked Logon ID: 0x58BBC Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x29c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227291 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x29c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227286 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51E00 11/09/2020 10:48:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227281 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227280 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x208 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227279 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227278 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227277 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x208 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227276 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227286 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51DF6 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227285 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227284 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227283 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227282 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227306 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227297 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227296 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B54 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227294 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B42 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B54 Linked Logon ID: 0x58B42 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227292 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B42 Linked Logon ID: 0x58B54 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227291 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2a0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227314 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227313 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x614D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227310 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227309 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227306 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:49:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227313 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x61A66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227310 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227309 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227314 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:49:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227317 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 11/09/2020 10:49:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227316 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:20 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:49:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227315 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:49:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227318 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa34 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:49:21.140151800Z New Time: ‎2020‎-‎11‎-‎09T10:49:21.129000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:49:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227317 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 11/09/2020 10:49:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227316 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:23 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:49:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227315 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:49:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227318 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa1c Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:49:24.055666500Z New Time: ‎2020‎-‎11‎-‎09T10:49:24.041000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:49:28 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Service shutdown OpCode=Info RecordNumber=227319 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 10:49:31 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Service shutdown OpCode=Info RecordNumber=227319 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 10:49:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227322 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227321 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227320 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227333 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5568 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227331 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227330 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227329 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227328 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227327 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227326 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x234 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227325 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227324 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227323 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227348 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227347 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227346 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227345 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227344 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227343 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0BE Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227341 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0AB Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227340 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0BE Linked Logon ID: 0xA0AB Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227339 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0AB Linked Logon ID: 0xA0BE Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227338 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227337 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227336 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227335 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227334 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227322 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227321 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227320 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227330 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227329 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227328 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227327 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227326 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x234 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227325 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227324 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227323 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227348 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227347 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227346 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227345 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227344 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227343 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0E3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227341 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0D0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227340 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0E3 Linked Logon ID: 0xA0D0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227339 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0D0 Linked Logon ID: 0xA0E3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227338 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227337 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227336 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227335 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227334 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227333 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x555D 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security State Change OpCode=Info RecordNumber=227331 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:50:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227351 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x460 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:50:05.666931400Z New Time: ‎2020‎-‎11‎-‎09T10:50:05.656000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227432 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: WIN-HOST-8\None Group Name: None Group Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227431 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\None Account Domain: EC2AMAZ-DRAP9BO Old Account Name: None New Account Name: None Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227430 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: WIN-HOST-8\None Group Name: None Group Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227429 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227428 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227427 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227426 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227425 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:20 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227424 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:20 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227423 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227422 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227421 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227420 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227419 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227418 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227417 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227416 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227415 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227414 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227413 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227412 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227411 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227410 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227409 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227408 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227407 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227406 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227405 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227404 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227403 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227402 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227401 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227400 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227399 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227398 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227397 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227396 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227395 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227394 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227393 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227392 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227391 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227390 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227389 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227388 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227387 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227386 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227385 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227384 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227383 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227382 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227381 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227380 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227379 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227378 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Power Users Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227377 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Power Users Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227376 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Power Users Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227375 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227374 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227373 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227372 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227371 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227370 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227369 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227368 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227367 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227366 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227365 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227364 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227363 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227362 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227361 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227360 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227359 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227358 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227357 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227356 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227355 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227354 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227353 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227352 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227435 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:50:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227434 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227447 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227446 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227445 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227444 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x198C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227443 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227442 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227441 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227437 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227436 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security State Change OpCode=Info RecordNumber=227351 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x44c Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:50:08.943682700Z New Time: ‎2020‎-‎11‎-‎09T10:50:08.934000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227450 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227449 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227448 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227432 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227431 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Domain Users Account Domain: EC2AMAZ-VS2L7UP Old Account Name: None New Account Name: None Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227430 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227429 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227428 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227427 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227426 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227425 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:23 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227424 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:23 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227423 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227422 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227421 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227420 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227419 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227418 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227417 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227416 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227415 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227414 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227413 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227412 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227411 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227410 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227409 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227408 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227407 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227406 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227405 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227404 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227403 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227402 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227401 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227400 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227399 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227398 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227397 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227396 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227395 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227394 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227393 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227392 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227391 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227390 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227389 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227388 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227387 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227386 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227385 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227384 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227383 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227382 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227381 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227380 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227379 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227378 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227377 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: NONE_MAPPED Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227376 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227375 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227374 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227373 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227372 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227371 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227370 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227369 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227368 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227367 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227366 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227365 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227364 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227363 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227362 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227361 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227360 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227359 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227358 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227357 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227356 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227355 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227354 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227353 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227352 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227452 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227451 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227437 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227436 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227435 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227434 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227449 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227448 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227447 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227446 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1B544 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227445 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227444 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227443 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227442 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227441 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227456 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227455 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227454 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227453 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227452 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227451 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227450 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227456 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227455 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227454 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227453 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227458 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227457 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227458 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227457 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227460 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227459 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227460 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227459 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227466 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227465 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:50:34 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227464 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xcc4 Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227463 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227462 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227461 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227466 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227465 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:50:34 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227464 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xcec Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227463 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227462 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227461 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x76FF7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x76FF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x998 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227471 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x998 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227470 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227469 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227468 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227467 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x79099 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x79099 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xab0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227471 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xab0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227470 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227469 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227468 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227467 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227474 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227474 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:45 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Service shutdown OpCode=Info RecordNumber=227475 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 10:50:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227476 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4c4 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎11‎-‎09T10:50:48.023605200Z New Time: ‎2020‎-‎11‎-‎09T10:50:48.014000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:50:48 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Service shutdown OpCode=Info RecordNumber=227475 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:24:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227478 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227477 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227476 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227484 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x350 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227483 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227482 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2fc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227481 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227480 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227479 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227488 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security State Change OpCode=Info RecordNumber=227487 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227486 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x394 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x314 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227485 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x314 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227491 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227490 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227489 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x70E2 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227505 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227504 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FC1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227503 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FB0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FC1 Linked Logon ID: 0x10FB0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227501 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FB0 Linked Logon ID: 0x10FC1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227500 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227495 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227494 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227516 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227515 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227514 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x16AEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227511 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227510 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227509 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227508 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227507 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227506 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227519 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:24:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227518 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227517 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227521 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227520 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227523 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227522 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227529 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227528 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 11:25:26 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227527 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xfcc Process Name: C:\Windows\System32\net1.exe 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227526 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227525 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227524 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227532 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227531 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227530 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227537 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xbe0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227534 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xbe0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227533 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227541 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227540 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 11:25:33 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227539 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0x0 Process Name: - 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227538 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0x0 Process Name: - 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227551 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227550 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227549 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227548 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227547 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227546 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227545 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227544 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227543 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227542 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227553 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227552 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227558 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227557 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7E657 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227556 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7E657 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227555 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227554 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227612 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7FCB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227611 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8114F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227610 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8114F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227609 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227608 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81057 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227606 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81057 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227605 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81057 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227604 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227603 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227602 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x80619 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227601 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x80619 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227600 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x80619 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227599 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227598 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227597 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7FCB9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227596 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7FCB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227595 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227594 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227593 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227592 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F7F5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227591 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F7F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227590 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227589 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227588 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F70C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227587 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EF66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227586 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F444 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227585 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F70C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227584 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F70C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227583 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227582 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227581 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F6D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227580 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F6D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227579 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F6D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227578 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227577 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227576 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F64E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227575 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F64E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227574 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F64E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227573 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227572 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227571 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F444 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227570 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F444 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227569 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227568 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227567 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227566 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EF66 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227565 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EF66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227564 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227563 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227562 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EE0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227561 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EE0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227560 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227559 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227667 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x858F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227666 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x858F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227665 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227664 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227663 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227662 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85310 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227661 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85310 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227660 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227659 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227658 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x84CBC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227657 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x851B5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227656 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x851B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227655 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227654 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227653 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x850E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227652 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x850E0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227651 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x850E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227650 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227649 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x84CBC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x84CBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227646 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227645 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227644 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227643 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83830 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227642 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83830 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227641 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227640 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227639 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EE0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227638 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81E29 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227637 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83779 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227636 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83779 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227635 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227634 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227633 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83748 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83748 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227631 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227630 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227629 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227628 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x82542 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227627 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x82542 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227626 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x82542 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227625 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227624 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81E29 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227622 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81E29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227621 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227620 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227619 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227618 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81551 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227617 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81551 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227616 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227615 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227614 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8114F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227613 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F7F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227713 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89575 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227712 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89575 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227711 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227710 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227709 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88A45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227708 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88A45 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227707 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88A45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227706 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227705 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227704 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88047 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227703 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88047 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227702 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227701 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227700 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227699 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x876E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227698 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x876E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227697 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227696 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227695 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227694 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x859F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227693 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85F72 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227690 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227689 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227688 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227687 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227686 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227685 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227684 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227683 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x86261 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x86261 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x86261 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227680 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227679 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227678 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85F72 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227677 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85F72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227676 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227675 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227674 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227673 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x859F3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227672 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x859F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227671 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227670 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227669 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x858F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227668 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85310 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227719 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88047 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227718 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x895AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227717 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x895AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227716 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227715 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89575 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227736 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8C044 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227735 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8C044 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227734 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227733 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227732 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8B06A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227731 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8B06A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227730 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227729 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227728 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8A2DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227727 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8A2DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227726 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227725 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227724 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227723 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89E12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227722 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89E12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227721 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227720 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227740 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8CCA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227739 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8CCA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227738 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227737 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227741 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89E12 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf20 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227772 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA20BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227771 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA20BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227770 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227769 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227768 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0488 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227767 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0488 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227766 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227765 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227764 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0152 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227763 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0152 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227762 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227761 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227760 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227759 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9FA88 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227758 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9FA88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227757 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227756 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227755 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F9A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227754 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8A2DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F9A3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F9A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227751 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227750 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227749 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F96F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227748 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F96F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227747 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F96F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227746 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227745 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227744 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8CCA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227743 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8C044 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227742 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8B06A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227791 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3234 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227790 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9FA88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0152 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3234 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227787 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3234 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227786 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227785 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227784 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3203 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227783 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3203 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227782 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3203 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227781 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227780 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227779 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA2FBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227778 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA20BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0488 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA2FBB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA2FBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227773 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227808 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA5796 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227807 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA5796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227806 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227805 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227804 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3B0E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227803 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3B0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227802 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227801 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227800 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA385A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227799 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA385A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227798 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227797 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227796 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227795 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA33A2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227794 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA33A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227793 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227792 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227812 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA623B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227811 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA623B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227810 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227809 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227817 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xB4B3A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227816 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xB4B3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227815 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227814 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227813 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA623B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227829 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227828 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227827 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227826 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227825 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227824 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227821 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227820 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227819 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227818 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227861 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0131 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227860 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227859 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227858 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227857 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCE0BA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227856 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCE0BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227855 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227854 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCDDD5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCDDD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227850 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227849 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD41D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD41D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227845 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD1C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227843 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA33A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227842 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA385A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227841 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD1C5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227840 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD1C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227839 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227838 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227837 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD170 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227836 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD170 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227835 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD170 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227834 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227833 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227832 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xB4B3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227831 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA5796 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3B0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227872 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD153C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227871 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD153C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227870 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227869 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227868 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0E49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227867 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0131 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227866 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCE0BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227865 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0E49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227864 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0E49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227863 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227862 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227897 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4179 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227896 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4179 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227895 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227894 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227893 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD24B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227892 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD24B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227891 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227890 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227889 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD20BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227888 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD20BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227887 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227886 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227885 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227884 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD1684 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227883 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD1684 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227882 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227881 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227880 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD15A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227879 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD41D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227878 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCDDD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227877 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD15A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227876 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD15A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227875 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227874 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD153C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227920 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5785 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227919 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5785 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227918 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227917 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227916 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD568A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD1684 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227914 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD20BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227913 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD568A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227912 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD568A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227911 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227910 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227909 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5659 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227908 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5659 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227907 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5659 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227906 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227905 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227904 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4DFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227903 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4179 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD24B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227901 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4DFB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227900 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4DFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227899 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227898 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227949 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9289 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227948 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9289 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227947 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9289 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227946 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227945 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227944 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD73B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227943 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD73B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227942 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD73B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227941 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227940 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227939 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD710C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227938 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD710C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227937 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227936 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227935 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD70DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD70DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227933 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD70DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227932 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227931 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227930 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5F42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227929 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5F42 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227928 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5F42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227927 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227926 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227925 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5C5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227924 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5C5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227923 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227922 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227921 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227966 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDAA8E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227965 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDAA8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227964 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227963 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227962 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDA452 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227961 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDA452 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227960 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDA452 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227959 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227958 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227957 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9649 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227956 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9649 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227955 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227954 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227953 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD92D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD92D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227951 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227950 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=228001 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDCC8F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=228000 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDCC8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227999 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227998 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227997 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB821 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227996 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB821 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227995 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB821 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227994 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227993 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227992 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB568 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227991 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB568 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227990 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227989 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227988 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB122 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227987 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB122 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227986 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227985 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227984 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227983 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227982 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227981 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227980 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227979 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227978 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227977 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227976 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227975 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_elambkup_0bc02aa0c28485f3.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227974 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227973 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227972 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227971 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227970 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227969 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227968 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227967 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDAA8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:55 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Service shutdown OpCode=Info RecordNumber=228002 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228005 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228004 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=228003 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228011 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x304 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228010 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228009 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228008 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228007 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228006 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228020 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228019 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols.